Free Ipa Installation

Freeipa installation centos 8
  1. Free Ipa Installation

First, let me apolgize for the odd, low quality that I have gotten out of my first 2 screen recordings. I'd love to blame it on Youtube, but I think it's just an effect from accidentally recording the wrong aspect ration on my iMac that runs Linux. Anyway, recorded the rest of the series on a different machine at proper 16:9 1920x1080, so those should be better.

Preparing our Server Machine for Install

Using Fedora 32 for our FreeIPA server, we need to get a few things cleaned up inside the system. So you can do all of these steps through the CLI on SSH, or you can use the Virt-Manager to view the actual desktop.

  1. Installing FreeIPA server. When all OS is ready and all prerequisites are met, let's try out FreeIPA! Install FreeIPA server. From root terminal, run: # yum install freeipa-server Note that the installed package just contains all the bits that FreeIPA uses, it does not configured the actual server. Configure a FreeIPA.
  2. To configure freeipa server in RHEL 8, the host name must be a fully qualified domain name, such as server.example.com. To verify the host name, use the hostname utility on the system where you want to install: # hostname ipa-server.example.com. The output of hostname must not be localhost or localhost6.
  3. The IPA Installation and Deployment Guide is intended for system administrators and those responsible for installing and configuring IPA. This guide assumes a good understanding of either Red Hat Enterprise Linux or Fedora, and a.

To help create and configure a suitable DNS setup, the FreeIPA installation script creates a sample zone file. During the installation, FreeIPA displays a message similar to the following: Sample zone file for bind has been created in /tmp/sample.zone.FuMf4.db. In this tutorial we will learn how to install and FreeIPA server on CentOS 7 Linux node. Overview on FreeIPA. FreeIPA like Microsoft's Active Directory, is an open source project, sponsored by Red Hat, which makes it easy to manage the identity, policy, and audit for Linux-based servers.

Sirst, let's run a couple of commands to make sure the system is fully up to date.

sudo dnf update -y

Once that completes, just reboot the server, and continue forward.

Setup our Network Interface

NOTE: I did this same set of steps on both my server (Fedora 32 Workstation) and client (Ubuntu 20.04) machines. Feel free to work on both at once if you like for this portion.

Next, let's set our network interface up to keep the IP it was given through DHCP, or set it up to request the static IP of your choosing on your network.

I did this step through the network manager UI, as for me it's just easier.

Open your Network Manager, and select the wired interface (this should be the only option in the virtual machines).

Next, click the settings gear icon for the wired interface. In the view that opens, make note of the assigned IP address (if you want to keep it, and use it), the DNS Mask, DNS IP address, and Gateway address.

Now, click on the IPv4 tab, and choose Manual from the options at the top. Next, enter the IP address from above (or the IP address you want the machine to have), then the DNS Mask (usually 255.255.255.0), and the Gateway IP Address.

Now, move down the interface to the DNS section and turn off automatic. Enter the DNS IP you saw previously (may be the same as the Gateway IP, but if you run your own DNS server, feel free to use that IP).

Save / Apply your changes, then turn off the Wired interface and turn it back on to get the changes to take effect.

Set the Hostname of the Server and Client Virtual Machines

Now we'll set the hostname of the server and client VM's. There is only 1 difference between these setup steps, and I'll point that out below when you get to it.

First, lets set the proper hostname for each machine in the /etc/hostname file.

You need to decide now what you want for your machine's FQDN (Fully Qualified Domain Name). This is a name similar to a website address. For my server I'll be using ipasrv.myhome.local, and for my client I'll be using ipa01.myhome.local.

You want to know the following values moving forward:

  1. Server IP Mine is 192.168.7.154
  2. Client IP Mine is 192.168.7.153
  3. Server FQDN / hostname Mine is ipasrv.myhome.local
  4. Client FQDN / hostnam Mine is ipa01.myhome.local
  5. Domain Mine is myhome.local
  6. Realm Mine is MYHOME.LOCAL

In your terminal enter

sudo nano /etc/hostname

In the window that opens, if the hostname displayed is not your desired FQDN, then erase what's there, and enter the proper FQDN.

Save the file with CTRL + O, then press Enter, then use CTRL + X to exit the text editor.

Next, we need to set our hostname in the /etc/hosts file.

Enter the following in the terminal.

sudo nano /etc/hosts

Make a new line at the top of the file. Enter the IP Address for the machine you are working on, then tab one time and enter the FQDN of that machine. Now tab one more time and enter just the first portion of the FQDN (what I call the shortname). It should look something like this:

Server
192.168.7.154 ipasrv.myhome.local ipasrv

Client
192.168.7.153 ipa01.myhome.local ipa01

Here's that one difference I talked about above.

On your client, in the /etc/hosts file, you need to make a second entry.

Go to the bottom of the IPv4 section (just below the localhost entries), adn make a new line. Enter the IP, FQDN, and Shortname of the server on this line. It should look like:

192.168.7.154 ipasrv.myhome.local ipasrv

Now save each file with CTRL + O and press Enter, then exit nano with CTRL + X.

Set the Firewall Rules on our Server

Next, we need to set the firewall rules on our server, and luckily FreeIPA has 2 built in commands that will set everything we need.

Run the following 2 command in the temrinal. After each one, you sould get a success response.

sudo firewall-cmd --add-service=freeipa-ldap --add-service=freeipa-ldaps

sudo firewall-cmd --add-service=freeipa-ldap --add-service=freeipa-ldaps --permanent

Install the FreeIPA Server and Supporting Software

For this point, I'll only be discussing what to do on the Server VM. We'll continue with the Client VM further down.

On our server we now need to install the FreeIPA server, and supporting software. Simply enter the following into the terminal to start the process.

sudo yum install freeipa-server freeipa-server-dns nfs-utils -y

After the installation finishes, you need to reboot your server VM so the NFSUtils package can take effect.

When you log back in, I suggest becoming root for just a bit using the sudo su command. This just makes the rest of the process slightly simpler. If you prefer to continue typing sudo for all the commands, feel free to do so.

sudo su

Now we are going to run the Full IPA Server install and Configuration. For this section just follow along with my screenshots, the video, and instructions below, and you should make it through - no problem.

ipa-server-install --mkhomedir

or if you aren't root use sudo ipa-server-install --mkhomedir

NOTE: the --makehomedir portion is very important. DO NOT leave it out.

Now the install becomes interactive.

At the prompt for configuring integrated DNS, type 'yes', then press Enter.

Next, you'll be asked to confirm your server hostname. It should pick up the hostname from the /etc/hostname file, or the /etc/hosts file, and that should be displayed in square brackets. If the detected hostname is correct, press Enter to simply accept the default.

Next, you'll get a warning about skipping DNS resolution, but it's ok. It will then ask you to confirm the domian name, which again should be correct, and displayed in square brackets. If so, press Enter to continue.

Next they system will confirm the Realm, which should just be your domain in all caps. Confirm it is, and press Enter to accept the default as long as it'c correct.

After that you'll be asked to enter a Directory Manger password. This is like the super admin of the system, and you want to make this a long, strong password that you don't share with anyone else.

After the Directory Manger password, you'll be asked to enter the IPA Admin password. Again, make this a along, strong password, and remember it, as you'll need it to log into the Web UI, and to install the client software on the client machine.

Now, you'll be asked if you want to configure DNS forwarders. You should type 'yes' here, and then check that it finds your DNS IP address (may be your DNS server, or the Geateway IP of your router depending on your setup).

If it doesn't find a correct IP for DNS, enter your Gateway IP, then press Enter. Skip any other entry of DNS IP if prompted.

Next you'll be asked about searching for Reverse Zones. Press Enter to accept the default, then Accept the [no] default for the chrony and NTP server IP.

When prompted to configure the system with these values, type 'yes', then press Enter.

The rest of the install will proceed. As long as you don't hit any errors, you should get a system message that the IPA Server was successfully installed.

Once you get the Successful comment, you'll need to type one more command to setup your admin user, and enable the Web UI.

kinit admin

After typing 'kinit admin', press Enter, and reboot the server VM.

You should now be able to route to the server IP or FQDN in your browser. If you're using a machine not on your myhome.local domain, you may need to enter the IP and FQDN in /etc/hosts.

Let's Install the Client IPA Software Now.

Now we'll install the client software, so moving over to the terminal for our client, let's make sure it's all up to date.

sudo apt update && sudo apt upgrade -y

Once that finishes, we'll reboot the client VM.

sudo reboot

When it comes back up, we want to install the FreeIPA client, which isn't the full installation, but is a bit interactive.

sudo apt install freeipa-client -y

While it's installing you'll be asked to enter or verify the server hostname, domain / Realm, and Kerberos server. The server hostname and kerberos server hostname are the same, so in my case I just want to confirm it has

Domain / Realm = myhome.local

Server / Kerberos server = ipasrv.myhome.local

Once the installation is complete, you'll be ready to run the full client install and configuration. Use the command below to start:

ipa-client-install --mkhomedir

Again, note that the flag --mkhomedir is extremely important, as if we don't in clude this on the server and client installation, the system will not know to create a home directory when we try to log in the first time with our IPA user, and it will just repeatedly bring you back to the login screen with no error or message of any kind.

When I run this, because of my DNS setup, I get a message about DNS discovery failutre. If you see this, it's ok, just fill in your domain, and press Enter if it's not autodiscovered.

Next, you'll be asked for the server hostname, so just fill it and press Enter.

You'll get a warning about autodiscovery, but just type'yes', and press Enter to continue.

You should get a summary showing all the values the client will use, so simply type 'yes' at the prompt, and press Enter.

The installer will prompt for the user authorized to enroll computers, adn you'll enter admin

Then when prompted enter your IPA Admin user password set during the server install.

After a successful install message, you'll probably want to reboot one more time, just to be sure everyihing is setup and ready.

Now, if you go to the WEbUI for your server, and login with your IPA Admin user, you can click on the 'Hosts' tab, and you should see both your server and client machines listed there.

Congratulations, you now have a FreeIPA server, and a FreeIPA Client setup and communicating.

Next, we'll cover the creation of a FreeIPA user, and logging into the client with those new user credentials.

At SANBI we’ve been using an old combination of OpenLDAP + Kerberos and nsswitch to provide LDAP with NFS directories for user accounts for our virtual machines and HPC cluster. This was originally put in place to make authentication into machines easier and to allow users to access and use the cluster without manual setup of directories and user accounts. Over time this set-up has grown to be messy and more effort to maintain than worth while.

This prompted the decision to look at alternatives. Enter FreeIPA. The main attraction to using FreeIPA is that it is much easier to use from a management and maintenance point of view. This, coupled with the fact that it’s a lot more self-contained than the original set-up prompted me to try to play around with it.

The blog post details the steps followed to set up the FreeIPA environment on servers and clients.

Server

I created virtual machine on the same host that runs the old authentication services, for the sake of keeping sanity. This system will be replaced with an OpenStack deployment that will eventually be used for systems services as well as research work at some future point (blog post on that later). The virtual machine was configured in the following way:

  • Hostname: freeipa.sanbi.ac.za
  • IP address: 192.168.2.220
  • 1vCPU / 1GB RAM / 50GB disk

I started with a system update. The usual will suffice:

Once done it’s time to install the FreeIPA stuff. This can be done through the following:

This installed around 550MB worth of files + dependencies.

Installer configuration

During the install you’ll be prompted with some configuration UIs. The first one you see will be to configure the Kerberos Realm configuration. Here you’ll enter the name you want the realm to be. The default is often your DNS domain, but in uppercase. I chose SANBI.AC.ZA.

The next prompt will be for a kerberos server(s), I for the initial set-up I used the FreeIPA (freeipa.sanbi.ac.za) server as the Kerberos server as well. The prompt after that asks which server acts as the administrative server, which would be freeipa.sanbi.ac.za. Finally, on the krb5-admin-server prompt, press OK.

Post-install configuration

Once the apt installer is complete, run the following command:

Here you’ll be presented with a bunch of configuration options. Here’s a list of the options I chose:

  • Do you want to configure integrated DNS (BIND)? [no]:no
    • We have an existing DNS server at SANBI. If you need one to be set up and managed by FreeIPA then select yes.
  • Server host name [freeipa.sanbi.ac.za]:freeipa.sanbi.ac.za
    • This is the hostname of the freeipa server for web purposes.
  • Please confirm the domain name [sanbi.ac.za]:sanbi.ac.za
    • This is the name of the domain for your DNS setup.
  • Please provide a realm name [SANBI.AC.ZA]:SANBI.AC.ZA
    • This is the name of the Kerberos realm for your IPA installation.

After this you’ll be asked to provide a password for the Directory Manager and the IPA admin. Once done, you need to specify yes to completing the configuration.

This setup process will take some time and may fail after the [25/28]: migrating certificate profiles to LDAP line with the following error:

[error] NetworkError: cannot connect to 'https://freeipa.sanbi.ac.za:8443/ca/rest/account/login': Could not connect to freeipa.sanbi.ac.za using any address: (PR_ADDRESS_NOT_SUPPORTED_ERROR) Network address type not supported.
ipa.ipapython.install.cli.install_tool(Server): ERROR cannot connect to 'https://freeipa.sanbi.ac.za:8443/ca/rest/account/login': Could not connect to freeipa.sanbi.ac.za using any address: (PR_ADDRESS_NOT_SUPPORTED_ERROR) Network address type not supported.
ipa.ipapython.install.cli.install_tool(Server): ERROR The ipa-server-install command failed. See /var/log/ipaserver-install.log for more information

To fix this, you have to edit the Python installer scripts to add a slight delay to two of the functions.

Edit the /usr/lib/python2.7/dist-packages/ipaserver/install/cainstance.py file.

We need to add a sleeper function to two functions in the codebase. The issue is that there is a timeout trying to connect to the FreeIPA API as it is still busy starting up when the request is made. Adding the sleep function will allow enough time for the API to start up.

Free Ipa Installation

In words, all you’re doing is adding an import for the time function and then adding the time function to the __import_ca_chain and migrate_profiles_to_ldap functions. Once done:

The installation of the server should now be complete. To confirm, run kinit admin and enter the password for admin, it should return no error.

You now now navigate to https://freeipa.sanbi.ac.za and log in with the kerberos admin user and pass.

Client

Most of the virtual machines at SANBI run some variant of Ubuntu. This ranges from a few outliers still on 12.04, some on 14.04 and most on 16.04. The machines that host these virtual machines are all CentOS 6.x based. Both the virtual machine hosts and virtual machines themselves were added to the ipa domain.

Before setting up the client, ensure that a FQDN is used as the hostname for the machine. For example, if the machine is configured as node11.sanbi.ac.za on DNS, ensure that the machine itself reflects this in the /etc/hostname and /etc/hosts files. This applies to both Debian and RHEL based distributions.

CentOS 6.x

On CentOS (version 6 at least), it’s fairly easy to get the machine to join the ipa domain using the ipa-client-install. Once the command is run, you will be prompted with the following:

  • Provide the domain name of your IPA server (ex: example.com):freeipa.sanbi.ac.za
    • This is the FQDN of the freeipa server.
  • Provide your IPA server name:freeipa.sanbi.ac.za
    • This is the FQDN of the freeipa server.
  • Autodiscovery of servers for failover cannot work with this configuration...yes
    • This ignores looking for failovers. This will be set up at a later stage.
  • Continue to configure the system with these values? [no]:yes
    • This confirms the installation.
  • User authorized to enroll computers:admin
    • This is the admin (default) user for the FreeIPA installation.

Once you’ve entered the password, the ipa-client-install script will take care of configuring the machine. If all goes well, you can run the command id admin and you should get a result that looks something like this:

Note: –mkhomedir was not specified for ipa-client-install here because the machines running CentOS at SANBI are mostly used as service hosts, which only admins have access to.

Ubuntu 14.04+

I had some issues getting FreeIPA working with Ubuntu 12.04, so I’ll ignore that for the time being. Getting it working in 14.04+ is a little more involved than it is on CentOS. It seems that the pam.d/* files *sometimes* don’t get configured correctly for Ubuntu when using the ipa-client-install script. This results in authentication failure error messages appearing when trying to log in to the system and forced me to have to enter single user mode in order to restore the system to a working order.

Here’s the gist:

The installation of the FreeIPA software is done the same way as with CentOS. apt-get install freeipa-client will get you access to the ipa-client-install script and I specified the --mkhomedir flag with that, since a lot of the Ubuntu VMs are user-facing. The full command I used is: ipa-client-install --domain=sanbi.ac.za --server=freeipa.sanbi.ac.za --realm=SANBI.AC.ZA -p admin --mkhomedir. After the installation is done you can test logging in and using sudo. If all works correctly, you are done.

Issues

If there are login issues, you can try the following. A couple of items need to be added or changed in the /etc/pam.d/* directory. If these lines exist you need to make sure they look the same as the following, otherwise you can add them:

FileChange
common-accountAdd: session required pam_mkhomedir.so skel=/etc/skel/ umask=0022
common-authAdd: auth [success=4 default=ignore] pam_sss.so use_first_pass
common-accountAdd: account sufficient pam_localuser.so, account [default=bad success=ok user_unknown=ignore] pam_sss.so
common-passwordAdd: password sufficient pam_sss.so
common-sessionAdd: session optional pam_sss.so

and in the /usr/share/pam-configs/my_mkhomedir file (create it if it’s not there already), add the below:

Note: If you don’t want user account directories created on login OR you have a setup where user directories can’t be created on setup then omit the steps pertaining to home directories, i.e. leave out –mkhomedir and the pam.d configurations.