Tuesday, November 19, 2024
Google search engine
HomeUncategorisedHow To Install FreeIPA Client on CentOS 8 / RHEL 8

How To Install FreeIPA Client on CentOS 8 / RHEL 8

.tdi_3.td-a-rec{text-align:center}.tdi_3 .td-element-style{z-index:-1}.tdi_3.td-a-rec-img{text-align:left}.tdi_3.td-a-rec-img img{margin:0 auto 0 0}@media(max-width:767px){.tdi_3.td-a-rec-img{text-align:center}}

How do I install and configure FreeIPA Client on CentOS 8 / RHEL 8?. In our last guide, we covered the installation of FreeIPA server on RHEL / CentOS 8. This article will focus on how to Install FreeIPA Client on CentOS 8 / RHEL 8. The FreeIPA Client is installed on machines to be authenticated against FreeIPA Server.

FreeIPA Client integrates with many Linux native services such as:

  • SSH – server can keep SSH public keys used by both sshd and ssh
  • SUDO – server can provide centralized sudoers to all clients
  • automount – server can keep automount maps consumed by client autofs differentiated by a location
  • SELinux user map – server can keep policies to assign different SELinux user roles to users, based on their group or host group

These integrations allow a System Administrator to conveniently configure them centrally, on the FreeIPA server. When a management command is executed on the Client machine, the FreeIPA client sends it to the server where it is executed.

.tdi_2.td-a-rec{text-align:center}.tdi_2 .td-element-style{z-index:-1}.tdi_2.td-a-rec-img{text-align:left}.tdi_2.td-a-rec-img img{margin:0 auto 0 0}@media(max-width:767px){.tdi_2.td-a-rec-img{text-align:center}}

Install FreeIPA Client on CentOS 8 / RHEL 8

On RHEL / CentOS 8, FreeIPA client is available as an AppStream module.

$ sudo yum module list idm
 Name         Stream             Profiles                                          Summary
 idm          DL1                adtrust, client, dns, server, default [d]         The Red Hat Enterprise Linux Identity Management system module
 idm          client [d]         default [d]                                       RHEL IdM long term support client module
 Hint: [d]efault, [e]nabled, [x]disabled, [i]nstalled

From the output, you can see we have DL1 and client Streams. For more information about the FreeIPA client stream, run:

sudo yum module info idm:client

Install FreeIPA client on CentOS / RHEL 8 system by executing the command below in your terminal.

sudo yum -y install @idm:client

Check version of ipa-client installed.

$ rpm -qi ipa-client
Name        : ipa-client
Version     : 4.9.8
Release     : 6.module+el8.6.0+797+07647629
Architecture: x86_64
Install Date: Fri 21 Oct 2022 11:59:39 PM EAT
Group       : Unspecified
Size        : 270423
License     : GPLv3+
Signature   : RSA/SHA256, Tue 10 May 2022 09:24:00 PM EAT, Key ID 15af5dac6d745a60
Source RPM  : ipa-4.9.8-6.module+el8.6.0+797+07647629.src.rpm
Build Date  : Tue 10 May 2022 08:34:01 PM EAT
Build Host  : ord1-prod-x86build005.svc.aws.rockylinux.org
Relocations : (not relocatable)
Packager    : [email protected]
Vendor      : Rocky
URL         : http://www.freeipa.org/
Summary     : IPA authentication for use on clients
...

You can do the same for sssd.

$ rpm -qi sssd
 Name        : sssd
Version     : 2.6.2
Release     : 4.el8_6
Architecture: x86_64
Install Date: Tue 28 Jun 2022 02:31:59 AM EAT
Group       : Applications/System
Size        : 35147
License     : GPLv3+
Signature   : RSA/SHA256, Sun 15 May 2022 07:55:55 PM EAT, Key ID 15af5dac6d745a60
Source RPM  : sssd-2.6.2-4.el8_6.src.rpm
Build Date  : Sun 15 May 2022 07:37:10 PM EAT
Build Host  : ord1-prod-x86build005.svc.aws.rockylinux.org
Relocations : (not relocatable)
Packager    : [email protected]
Vendor      : Rocky
URL         : https://github.com/SSSD/sssd
Summary     : System Security Services Daemon
....

Configure FreeIPA Client on CentOS 8 / RHEL 8

Once the installation of the FreeIPA Client packages is complete. Add hostname and IP address of your IPA Server to /etc/hosts file if you don’t have a working DNS resolution.

$ sudo vim /etc/hosts
192.168.58.121 ipa.example.com

Set your system hostname.

export HNAME="rhel8.example.com"
sudo hostnamectl set-hostname $HNAME --static
sudo hostname $HNAME

Finally, configure the FreeIPA client on your system by running the command below.

sudo ipa-client-install --hostname=rhel8.example.com \
 --mkhomedir \
 --server=ipa.example.com \
 --domain example.com \
 --realm EXAMPLE.COM

Where:

Your installation should be similar to example below.

This program will set up IPA client.
Version 4.7.1
Autodiscovery of servers for failover cannot work with this configuration.
If you proceed with the installation, services will be configured to always access the discovered server for all operations and will not fail over to other servers in case of failure.
Proceed with fixed values and no DNS discovery? [no]: yes
Client hostname: rhel8.example.com
Realm: EXAMPLE.COM
DNS Domain: example.com
IPA Server: ipa.example.com
BaseDN: dc=example,dc=com
Continue to configure the system with these values? [no]: yes
Synchronizing time
No SRV records of NTP servers found and no NTP server or pool address was provided.
Using default chrony configuration.
Attempting to sync time with chronyc.
Time synchronization was successful.
User authorized to enroll computers: admin
Password for [email protected]: <admin Password>
Successfully retrieved CA cert
Subject: CN=Certificate Authority,O=EXAMPLE.COM
Issuer: CN=Certificate Authority,O=EXAMPLE.COM
Valid From: 2019-03-24 10:12:55
Valid Until: 2038-03-24 10:12:55
Enrolled in IPA realm EXAMPLE.COM
Created /etc/ipa/default.conf
Configured sudoers in /etc/nsswitch.conf
Configured /etc/sssd/sssd.conf
Configured /etc/krb5.conf for IPA realm EXAMPLE.COM
Systemwide CA database updated.
Hostname (rhel8.local) does not have A/AAAA record.
Failed to update DNS records.
Missing A/AAAA record(s) for host rhel8.local: 192.168.122.198.
Incorrect reverse record(s):
192.168.122.198 is pointing to rhel8.example.com
Adding SSH public key from /etc/ssh/ssh_host_ed25519_key.pub
Adding SSH public key from /etc/ssh/ssh_host_ecdsa_key.pub
Adding SSH public key from /etc/ssh/ssh_host_rsa_key.pub
Could not update DNS SSHFP records.
SSSD enabled
Configured /etc/openldap/ldap.conf
Configured /etc/ssh/ssh_config
Configured /etc/ssh/sshd_config
Configuring example.com as NIS domain.
Client configuration complete.
The ipa-client-install command was successful

If you have DNS server, FreeIPA client installer can discover FreeIPA server and pull required installation. The command:

sudo ipa-client-install

Should be sufficient to configure client machine.

Enable Creation of home directories on the first Login

If user’s home directory are not created automatically, enable this feature by running the command below.

$ sudo authconfig --enablemkhomedir --update
...
Executing: /usr/bin/authselect check
Executing: /usr/bin/authselect current --raw
Executing: /usr/bin/authselect select sssd with-sudo with-mkhomedir --force
Executing: /usr/bin/systemctl enable oddjobd.service
Executing: /usr/bin/systemctl stop oddjobd.service
Executing: /usr/bin/systemctl start oddjobd.service

Check if user’s identification is visible on the server.

$ id josphat
uid=1676000008(josphat) gid=1676000008(josphat) groups=1676000008(josphat),1676000007(wheel-users)

Test FreeIPA LDAP user authentication.

$ ssh test@localhost
Password: 
Password expired. Change your password now.
Current Password: 
New password: <Set new passwoird
Retype new password: 
Activate the web console with: systemctl enable --now cockpit.socket
[test1@ipa ~]$ id
uid=1201400003(test1) gid=1201400003(test1) groups=1201400003(test1) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023

Using FreeIPA ipa Command Line Management Tool

You can administer FreeIPA Server from the client machine using ipa command line tool.

First, obtain a Kerberos ticket.

$ sudo kinit admin
Password for [email protected]: 

Check ticket expiry information using klist.

$ klist 
Ticket cache: KCM:0
Default principal: [email protected]
Valid starting       Expires              Service principal
03/24/2019 11:48:06  03/25/2019 11:48:04  krbtgt/EXAMPLE.COM@EXAMPLE.COM

Test by adding a user account and listing accounts present:

$ sudo ipa user-add test \
  --first=Test --last=User \
  --email=[email protected] --password

Password: 
Enter Password again to verify: 
-------------------
 Added user "test"
-------------------
   User login: test
   First name: Test
   Last name: User
   Full name: Test User
   Display name: Test User
   Initials: TU
   Home directory: /home/test
   GECOS: Test User
   Login shell: /bin/bash
   Principal name: [email protected]
   Principal alias: [email protected]
   User password expiration: 20190324085532Z
   Email address: [email protected]
   UID: 1201400001
   GID: 1201400001
   Password: True
   Member of groups: ipausers
   Kerberos keys available: True

Verify.

ipa user-find test

Enable Passwordless Authentication using Private Key

If you would like to authenticate to a server without a password, copy your Public key to FreeIPA Server:

ipa server add users ui 02

Click the Add button under “SSH public keys“, paste your public key into the box and save.

Removing IPA Client from CentOS 8 / RHEL 8 system

Removal of FreeIPA client on CentOS / RHEL 8 can be done by running the command:

$ sudo ipa-client-install  --uninstall
Unenrolling client from IPA server
Removing Kerberos service principals from /etc/krb5.keytab
Disabling client Kerberos and LDAP configurations
Redundant SSSD configuration file /etc/sssd/sssd.conf was moved to /etc/sssd/sssd.conf.deleted
Restoring client configuration files
Unconfiguring the NIS domain.
nscd daemon is not installed, skip configuration
nslcd daemon is not installed, skip configuration
Systemwide CA database updated.
Client uninstall complete.
The original nsswitch.conf configuration has been restored.
You may need to restart services or reboot the machine.
Do you want to reboot the machine? [no]: 
The ipa-client-install command was successful

Conclusion

There you have it. FreeIPA client has been installed and configured on RHEL / CentOS 8 system. Refer to our guides below to install and configure FreeIPA client on other systems.

.tdi_4.td-a-rec{text-align:center}.tdi_4 .td-element-style{z-index:-1}.tdi_4.td-a-rec-img{text-align:left}.tdi_4.td-a-rec-img img{margin:0 auto 0 0}@media(max-width:767px){.tdi_4.td-a-rec-img{text-align:center}}

RELATED ARTICLES

Most Popular

Recent Comments