How to install FreeIPA Client on AlmaLinux 9

Estimated reading: 8 minutes 501 views

How do I install and configure FreeIPA Client on AlmaLinux 9?. In our last guide, we covered the installation of the FreeIPA server on AlmaLinux 9. This article will focus on how to Install FreeIPA Client on AlmaLinux 9. The FreeIPA Client is installed on machines to be authenticated against the FreeIPA Server.

FreeIPA Client integrates with many Linux native services such as:

  • SSH – server can keep SSH public keys used by both sshd and ssh
  • SUDO – server can provide centralized sudoers to all clients
  • automount – server can keep automounting maps consumed by client autofs differentiated by a location
  • SELinux user map – server can keep policies to assign different SELinux user roles to users, based on their group or host group

These integrations allow a System Administrator to conveniently configure them centrally, on the FreeIPA server. When a management command is executed on the Client machine, the FreeIPA client sends it to the server where it is executed.

Prerequisites

To get started, ensure you have the following:

An AlmaLinux 9 server – This demo uses a server with the hostname greencloud

You can refer to the freeIPA server installation and configuration at: https://green.cloud/docs/how-to-install-freeipa-server-on-almalinux-9/

The Linux client machine also uses an AlmaLinux machine with the hostname green1

A non-root user with root administrator privileges.

Configure FreeIPA Client on AlmaLinux 9

Set the correct system hostname.

hostnamectl set-hostname green1.example.com

The hostname must be a fully qualified domain name, such as ipa.example.com. Once set also configure system timezone to match your region:

timedatectl set-timezone Africa/Nairobi

Once the installation of the FreeIPA Client packages is complete, add the hostname and IP address of your IPA Server to the /etc/hosts file if you don’t have a working DNS resolution.

$ nano /etc/hosts
IP_server greencloud.example.com
IP_client green1.example.com

Setup NTP Client on FreeIPA Client to sync time with FreeIPA Server

  • NTP: Configure NTP Server
    Install Chrony to Configure NTP Server for Time Synchronization.
    Install and Configure Chrony.

    dnf -y install chrony
    nano /etc/chrony.conf
    #Visit https://www.ntppool.org/en/ and choose public NTP servers available that will be used as the sources. Mostly, it depends on the location of your server locations, choose nearby NTP servers as the source.
    # line 3 : change servers to synchronize (replace to your own timezone NTP server)
    # need NTP server itself to sync time with other NTP server
    #pool 2.almalinux.pool.ntp.org iburst
    server 0.africa.pool.ntp.org
    # line 27 : add network range to allow to receive time synchronization requests from NTP Clients
    # specify your local network and so on
    # if not specified, only localhost is allowed
    allow 64.44.x.x
    systemctl enable --now chronyd

If Firewalld is running, allow NTP service. NTP uses [123/UDP].

firewall-cmd --add-service=ntp
success
firewall-cmd --runtime-to-permanent
success

Verify it works normally.

chronyc sources

.deb open with archive manager

  • NTP : Configure NTP Client

Configure NTP Client.

NTP Client configuration is mostly the same with the Server’s one, however, NTP Clients do not need to receive time synchronization requests from other hosts, so it does not need to specify the line [allow ***].

dnf -y install chrony
nano /etc/chrony.conf
# line 3 : change to your own NTP server or others in your timezone
#pool 2.almalinux.pool.ntp.org iburst
pool greencloud.example.com iburst
systemctl enable --now chronyd
# verify status
chronyc sources

.deb open with archive manager

To Install NTPStat, it’s possible to display time synchronization status.

dnf -y install ntpstat
ntpstat

.deb open with archive manager

  • Install FreeIPA Client
    Install FreeIPA Client packages.
dnf -y install freeipa-client

Finally, configure the FreeIPA client on your system by running the command below.

$ [root@green1 ~]#ipa-client-install --mkhomedir 
This program will install the IPA client.
Version 4.10.2 DNS discovery failed to determine your DNS domain Provide the domain name of your IPA server (ex: example.com): example.com Provide your IPA server name (ex: ipa.example.com): greencloud.example.com  The failure to use DNS to find your IPA server indicates that your resolv.conf file is not properly configured.Autodiscovery of servers for failover cannot work with this configuration. If you proceed with the installation, services will be configured to always access the discovered server for all operations and will not fail over to other servers in case of failure. Proceed with fixed values and no DNS discovery? [no]: yes Do you want to configure chrony with NTP server or pool address? [no]: no Client hostname: green1.example.com Realm: EXAMPLE.COM DNS Domain: example.com IPA Server: greencloud.example.com BaseDN: dc=example,dc=com Continue to configure the system with these values? [no]: yes Synchronizing time No SRV records of NTP servers found and no NTP server or pool address was provided. Using default chrony configuration. Attempting to synchronize time with chronyc. Process chronyc waitsync failed to sync time! Unable to sync time with chrony server, assuming the time is in sync. Please check that 123 UDP port is opened, and any time server is on network. User authorized to enroll computers: admin Password for [email protected]: Successfully retrieved CA cert . Subject: CN=Certificate Authority,O=EXAMPLE.COM Issuer: CN=Certificate Authority,O=EXAMPLE.COM Valid From: 2024-03-21 05:34:39 Valid Until: 2044-03-21 05:34:39 . Enrolled in IPA realm EXAMPLE.COM Created /etc/ipa/default.conf Configured /etc/sssd/sssd.conf Systemwide CA database updated. Hostname (green1.example.com) does not have A/AAAA record. Failed to update DNS records. Missing A/AAAA record(s) for host green1.example.com: 64.44.177.7, 2602:ffc8:5:a034::c9ba. Missing reverse record(s) for address(es): 64.44.177.7. Incorrect reverse record(s): 2602:ffc8:5:a034::c9ba is pointing to a-b-9-c-0-0-0-0-0-0-0-0-0-0-0-0-4-3-0-a -5-0-0-0-8-c-f-f-2-0-6-2.reverse-dns. instead of green1.example.com. Adding SSH public key from /etc/ssh/ssh_host_rsa_key.pub Adding SSH public key from /etc/ssh/ssh_host_ed25519_key.pub Adding SSH public key from /etc/ssh/ssh_host_key.pub Adding SSH public key from /etc/ssh/ssh_host_dsa_key.pub Adding SSH public key from /etc/ssh/ssh_host_ecdsa_key.pub Could not update DNS SSHFP records. SSSD enabled Configured /etc/openldap/ldap.conf Configured /etc/ssh/ssh_config Configured /etc/ssh/sshd_config.d/04-ipa.conf Configuring example.com as NIS domain. Configured /etc/krb5.conf for IPA realm EXAMPLE.COM Client configuration complete. The ipa-client-install command was successful $ [root@green1 ~]#

If you have a DNS server, the FreeIPA client installer can discover the FreeIPA server and pull the required installation. The command:

sudo ipa-client-install

It should be sufficient to configure the client machine.

Enable Creation of home directories on the first Login

If the user’s home directory is not created automatically, enable this feature by running the command below.

$ authselect enable-feature with-mkhomedir
systemctl enable --now oddjobd
exit

Check if the user’s identification is visible on the server.

$ id admin
uid=933400000(admin) gid=933400000(admins) groups=933400000(admins)

Using FreeIPA ipa Command Line Management Tool

You can administer the FreeIPA Server from the client machine using the ipa command line tool.

First, obtain a Kerberos ticket.

$ kinit admin
Password for [email protected]: 

Check ticket expiry information using klist.

$ klist 
Ticket cache: KCM:0
Default principal: [email protected]
Valid starting       Expires              Service principal
03/29/24 05:30:02    03/30/24 05:22:16    krbtgt/[email protected]

Test by adding a user account and listing accounts present:

$ ipa user-add green \
  --first=Green --last=User \
  --email=[email protected] --password

Password: 
Enter Password again to verify: 
-------------------
 Added user "green"
-------------------
   User login: green
   First name: Green
   Last name: User
   Full name: Green User
   Display name: Green User
   Initials: GU
   Home directory: /home/green
   GECOS: Green User
   Login shell: /bin/bash
   Principal name: [email protected]
   Principal alias: [email protected]
   User password expiration: 20240329023338Z
   Email address: [email protected]
   UID: 933400004
   GID: 933400004
   Password: True
   Member of groups: ipausers
   Kerberos keys available: True

Verify.

ipa user-find green

Enable Passwordless Authentication using Private Key

If you would like to authenticate to a server without a password, copy your Public key to FreeIPA Server:

.deb open with archive manager

Click the Add button under “SSH public keys“, paste your public key into the box and save.

Removing IPA Client from AlmaLinux 9 system

Removal of the FreeIPA client on AlmaLinux 9 can be done by running the command:

$ ipa-client-install  --uninstall

Conclusion

There you have it. FreeIPA client has been installed and configured on the AlmaLinux 9 system. Refer to our guides below to install and configure FreeIPA clients on other systems.