How to install FreeIPA Client on AlmaLinux 9
How do I install and configure FreeIPA Client on AlmaLinux 9?. In our last guide, we covered the installation of the FreeIPA server on AlmaLinux 9. This article will focus on how to Install FreeIPA Client on AlmaLinux 9. The FreeIPA Client is installed on machines to be authenticated against the FreeIPA Server.
FreeIPA Client integrates with many Linux native services such as:
- SSH – server can keep SSH public keys used by both sshd and ssh
- SUDO – server can provide centralized sudoers to all clients
- automount – server can keep automounting maps consumed by client autofs differentiated by a location
- SELinux user map – server can keep policies to assign different SELinux user roles to users, based on their group or host group
These integrations allow a System Administrator to conveniently configure them centrally, on the FreeIPA server. When a management command is executed on the Client machine, the FreeIPA client sends it to the server where it is executed.
Prerequisites
To get started, ensure you have the following:
An AlmaLinux 9 server – This demo uses a server with the hostname greencloud
You can refer to the freeIPA server installation and configuration at: https://green.cloud/docs/how-to-install-freeipa-server-on-almalinux-9/
The Linux client machine also uses an AlmaLinux machine with the hostname green1
A non-root user with root administrator privileges.
Configure FreeIPA Client on AlmaLinux 9
Set the correct system hostname.
hostnamectl set-hostname green1.example.com
The hostname must be a fully qualified domain name, such as ipa.example.com. Once set also configure system timezone to match your region:
timedatectl set-timezone Africa/Nairobi
Once the installation of the FreeIPA Client packages is complete, add the hostname and IP address of your IPA Server to the /etc/hosts file if you don’t have a working DNS resolution.
$ nano /etc/hosts IP_server greencloud.example.com IP_client green1.example.com
Setup NTP Client on FreeIPA Client to sync time with FreeIPA Server
- NTP: Configure NTP Server
Install Chrony to Configure NTP Server for Time Synchronization.
Install and Configure Chrony.dnf -y install chrony nano /etc/chrony.conf #Visit https://www.ntppool.org/en/ and choose public NTP servers available that will be used as the sources. Mostly, it depends on the location of your server locations, choose nearby NTP servers as the source. # line 3 : change servers to synchronize (replace to your own timezone NTP server) # need NTP server itself to sync time with other NTP server #pool 2.almalinux.pool.ntp.org iburst server 0.africa.pool.ntp.org # line 27 : add network range to allow to receive time synchronization requests from NTP Clients # specify your local network and so on # if not specified, only localhost is allowed allow 64.44.x.x systemctl enable --now chronyd
If Firewalld is running, allow NTP service. NTP uses [123/UDP].
firewall-cmd --add-service=ntp success firewall-cmd --runtime-to-permanent success
Verify it works normally.
chronyc sources
- NTP : Configure NTP Client
Configure NTP Client.
NTP Client configuration is mostly the same with the Server’s one, however, NTP Clients do not need to receive time synchronization requests from other hosts, so it does not need to specify the line [allow ***].
dnf -y install chrony nano /etc/chrony.conf # line 3 : change to your own NTP server or others in your timezone #pool 2.almalinux.pool.ntp.org iburst pool greencloud.example.com iburst systemctl enable --now chronyd
# verify status
chronyc sources |
To Install NTPStat, it’s possible to display time synchronization status.
dnf -y install ntpstat ntpstat |
- Install FreeIPA Client
Install FreeIPA Client packages.
dnf -y install freeipa-client
Finally, configure the FreeIPA client on your system by running the command below.
$ [root@green1 ~]#ipa-client-install --mkhomedir This program will install the IPA client.
Version 4.10.2 DNS discovery failed to determine your DNS domain Provide the domain name of your IPA server (ex: example.com):example.com
Provide your IPA server name (ex: ipa.example.com):greencloud.example.com
The failure to use DNS to find your IPA server indicates that your resolv.conf file is not properly configured.Autodiscovery of servers for failover cannot work with this configuration. If you proceed with the installation, services will be configured to always access the discovered server for all operations and will not fail over to other servers in case of failure. Proceed with fixed values and no DNS discovery? [no]:yes
Do you want to configure chrony with NTP server or pool address? [no]:no
Client hostname: green1.example.com Realm: EXAMPLE.COM DNS Domain: example.com IPA Server: greencloud.example.com BaseDN: dc=example,dc=com Continue to configure the system with these values? [no]:yes
Synchronizing time No SRV records of NTP servers found and no NTP server or pool address was provided. Using default chrony configuration. Attempting to synchronize time with chronyc. Process chronyc waitsync failed to sync time! Unable to sync time with chrony server, assuming the time is in sync. Please check that 123 UDP port is opened, and any time server is on network. User authorized to enroll computers:admin
Password for [email protected]: Successfully retrieved CA cert.
Subject: CN=Certificate Authority,O=EXAMPLE.COM Issuer: CN=Certificate Authority,O=EXAMPLE.COM Valid From: 2024-03-21 05:34:39 Valid Until: 2044-03-21 05:34:39.
Enrolled in IPA realm EXAMPLE.COM Created /etc/ipa/default.conf Configured /etc/sssd/sssd.conf Systemwide CA database updated. Hostname (green1.example.com) does not have A/AAAA record. Failed to update DNS records. Missing A/AAAA record(s) for host green1.example.com: 64.44.177.7, 2602:ffc8:5:a034::c9ba. Missing reverse record(s) for address(es): 64.44.177.7. Incorrect reverse record(s): 2602:ffc8:5:a034::c9ba is pointing to a-b-9-c-0-0-0-0-0-0-0-0-0-0-0-0-4-3-0-a -5-0-0-0-8-c-f-f-2-0-6-2.reverse-dns. instead of green1.example.com. Adding SSH public key from /etc/ssh/ssh_host_rsa_key.pub Adding SSH public key from /etc/ssh/ssh_host_ed25519_key.pub Adding SSH public key from /etc/ssh/ssh_host_key.pub Adding SSH public key from /etc/ssh/ssh_host_dsa_key.pub Adding SSH public key from /etc/ssh/ssh_host_ecdsa_key.pub Could not update DNS SSHFP records. SSSD enabled Configured /etc/openldap/ldap.conf Configured /etc/ssh/ssh_config Configured /etc/ssh/sshd_config.d/04-ipa.conf Configuring example.com as NIS domain. Configured /etc/krb5.conf for IPA realm EXAMPLE.COM Client configuration complete. The ipa-client-install command was successful$ [root@green1 ~]#
If you have a DNS server, the FreeIPA client installer can discover the FreeIPA server and pull the required installation. The command:
sudo ipa-client-install
It should be sufficient to configure the client machine.
Enable Creation of home directories on the first Login
If the user’s home directory is not created automatically, enable this feature by running the command below.
$ authselect enable-feature with-mkhomedir
systemctl enable --now oddjobd
exit
Check if the user’s identification is visible on the server.
$ id admin
uid=933400000(admin) gid=933400000(admins) groups=933400000(admins)
Using FreeIPA ipa Command Line Management Tool
You can administer the FreeIPA Server from the client machine using the ipa command line tool.
First, obtain a Kerberos ticket.
$ kinit admin
Password for [email protected]:
Check ticket expiry information using klist.
$ klist
Ticket cache: KCM:0
Default principal: [email protected]
Valid starting Expires Service principal
03/29/24 05:30:02 03/30/24 05:22:16 krbtgt/[email protected]
Test by adding a user account and listing accounts present:
$ ipa user-add green \
--first=Green --last=User \
--email=[email protected] --password
Password:
Enter Password again to verify:
-------------------
Added user "green"
-------------------
User login: green
First name: Green
Last name: User
Full name: Green User
Display name: Green User
Initials: GU
Home directory: /home/green
GECOS: Green User
Login shell: /bin/bash
Principal name: [email protected]
Principal alias: [email protected]
User password expiration: 20240329023338Z
Email address: [email protected]
UID: 933400004
GID: 933400004
Password: True
Member of groups: ipausers
Kerberos keys available: True
Verify.
ipa user-find green
Enable Passwordless Authentication using Private Key
If you would like to authenticate to a server without a password, copy your Public key to FreeIPA Server:
Click the Add button under “SSH public keys“, paste your public key into the box and save.
Removing IPA Client from AlmaLinux 9 system
Removal of the FreeIPA client on AlmaLinux 9 can be done by running the command:
$ ipa-client-install --uninstall
Conclusion
There you have it. FreeIPA client has been installed and configured on the AlmaLinux 9 system. Refer to our guides below to install and configure FreeIPA clients on other systems.