How to Install FreeIPA Server with Docker on Debian 11

FreeIPA is an open-source identity management solution for Linux/Unix operating systems. It’s an upstream project from the RedHat Identity Management System, which provides authentication and authorization solutions for Linux/Unix systems.

FreeIPA is built on top of multiple components, including the Directory Server, DNS, Kerberos, PKI, Certmonger, NTP Server, web administration UI, etc. It provides a centralized source of user credentials and access control. Using FreeIPA allows administrators to manage identity in a centralized environment easily, and also provides user monitoring, authentication, and access control.

In this guide, you will install and set up the FreeIPA server on Debian 11 machine via Docker. You will install Docker CE (Community Edition), build a FreeIPA Server Docker image, install FreeIPA Server, then you will learn the basic management of the FreeIPA server. In addition to that, you will also learn how to add a Linux client machine as the FreeIPA client to the FreeIPA server that runs as a Docker container.

Prerequisites

For this guide, you will need a Linux server running Debian 11 with a minimum of 4 GB of memory. You will also need a root user or non-root user with administrator privileges. As for the client, you can use any Linux distribution, but for this example, you will be using Ubuntu as the FreeIPA client machine.

Setup FQDN and Timezone

Before installing Docker and FreeIPA, you must first ensure that you have the proper fqdn (fully qualified domain name), correct ‘/etc/hosts’ file, and also the proper timezone. In this first step, you will set up the fqdn, /etc.hosts file, and timezone on your Debian server.

To start, set up the fqdn of your FreeIPA server by entering the following command.

sudo hostnamectl set-hostname ipa.hwdomain.lan

Now open the ‘/etc/hosts’ file using the following nano editor command.

sudo nano /etc/hosts

Add details of IP address, fqdn, and the hostname of your system.

192.168.5.10 ipa.hwdomain.lan  ipa

Save and close the file when finished.

Now type the following command to verify the fqdn of your system and ensure that the fqdn is pointed to the correct internal IP address.

sudo hostname -f

sudo ping -c3 ipa.hwdomain.lan

Next, enter the following command to set up the timezone on your system. Be sure to change the timezone in the following command with your server timezone.

sudo timedatectl set-timezone Europe/Stockholm

Enter the following command to set up the localtime for your system.

sudo unlink /etc/localtime

sudo ln -s /usr/share/timezone/Europe/Stockholm /etc/localtime

Now go to the next step to start the Docker CE installation.

Installing Docker CE

FreeIPA Server can be installed in many ways, as for Debian-based distributions, you can use Docker. In this section, you will install Docker CE (Community Edition) via the official Docker repository, Then you will also set up your user to allow for executing and running Docker containers.

First, input the following apt command to install basic dependencies. When prompted, input y to confirm and press ENTER to proceed.

sudo apt install ca-certificates 

    curl 

    gnupg 

    git 

    lsb-release

<img alt="install dependencies" data-ezsrc="https://kirelos.com/wp-content/uploads/2023/03/echo/1-install-deps.png640f62baeb8bd.jpg" ezimgfmt="rs rscb5 src ng ngcb5" height="315" loading="lazy" src="data:image/svg xml,” width=”685″>

Next, add and download the GPG key of the Docker CE repository.

sudo mkdir -m 0755 -p /etc/apt/keyrings

curl -fsSL https://download.docker.com/linux/ubuntu/gpg | sudo gpg --dearmor -o /etc/apt/keyrings/docker.gpg

Once the GPG key is added, enter the following command to add the Docker CE repository.

echo 

  "deb [arch=$(dpkg --print-architecture) signed-by=/etc/apt/keyrings/docker.gpg] https://download.docker.com/linux/ubuntu 

  $(lsb_release -cs) stable" | sudo tee /etc/apt/sources.list.d/docker.list > /dev/null

<img alt="setup repo" data-ezsrc="https://kirelos.com/wp-content/uploads/2023/03/echo/2-setup-repo.png640f62bc490b5.jpg" ezimgfmt="rs rscb5 src ng ngcb5" height="104" loading="lazy" src="data:image/svg xml,” width=”750″>

Now run the ‘apt update‘ command below to update and refresh your Debian package index.

sudo apt update

<img alt="update repo" data-ezsrc="https://kirelos.com/wp-content/uploads/2023/03/echo/3-update-repo.png640f62bcaca19.jpg" ezimgfmt="rs rscb5 src ng ngcb5" height="221" loading="lazy" src="data:image/svg xml,” width=”750″>

Then, install the Docker CE packages by entering the ‘apt install’ command below. Input y to confirm when prompted and press ENTER to proceed.

sudo apt install docker-ce docker-ce-cli containerd.io docker-buildx-plugin docker-compose-plugin

<img alt="install docker" data-ezsrc="https://kirelos.com/wp-content/uploads/2023/03/echo/4-install-docker.png640f62bd0c1ca.jpg" ezimgfmt="rs rscb5 src ng ngcb5" height="242" loading="lazy" src="data:image/svg xml,” width=”750″>

With the Docker CE installed, it’s also automatically running and enabled. execute the ‘systemctl‘ command below to verify the Docker service.

sudo systemctl is-enabled docker

sudo systemctl status docker

You should see the output ‘enabled‘ which means the Docker service will automatically be run at system startup. And the output ‘active (running)‘ confirms that the current Docker service is running.

<img alt="verify docker" data-ezsrc="https://kirelos.com/wp-content/uploads/2023/03/echo/5-verify-docker.png640f62bd4d723.jpg" ezimgfmt="rs rscb5 src ng ngcb5" height="268" loading="lazy" src="data:image/svg xml,” width=”750″>

Lastly, if you plan to run your Docker application via a non-root user, then you must add your user to the group ‘docker’. Type the following command to add your user to the group ‘docker‘. In this example, you will add a user ‘bob‘ to the ‘docker‘ group.

sudo usermod -aG docker bob

Now log in as the user ‘bob‘ and type the docker command below to run the ‘hello-world‘ container. if successful, you should see the welcome message from the container printed out on your terminal screen.

su - bob

docker run hello-world

<img alt="setup docker non-root" data-ezsrc="https://kirelos.com/wp-content/uploads/2023/03/echo/6-setup-docker-non-root.png640f62bdb339a.jpg" ezimgfmt="rs rscb5 src ng ngcb5" height="693" loading="lazy" src="data:image/svg xml,” width=”748″>

With this, you have now successfully executed and run the Docker container as a non-root user with the user called ‘bob‘. As for the rest of this guide, you will execute commands within the user ‘bob‘.

Building FreeIPA Docker Image

In this section, you will build the Docker image for the FreeIPA server. To do that, you can easily download the FreeIPA container repository from the official FreeIPA GitHub page. After that, you can choose any Linux distribution for the base image.

First, install ‘git‘ to your Debian server via the apt command below. When prompted, input y to confirm, then press ENTER.

sudo apt install git

<img alt="install git" data-ezsrc="https://kirelos.com/wp-content/uploads/2023/03/echo/7-install-git.png640f62bdf1699.jpg" ezimgfmt="rs rscb5 src ng ngcb5" height="196" loading="lazy" src="data:image/svg xml,” width=”604″>

Now run the following git command to download the ‘freeipa-container repository to your system. Then, move your working directory into it.

git clone https://github.com/freeipa/freeipa-container.git

cd freeipa-container

<img alt="clone freeipa repository" data-ezsrc="https://kirelos.com/wp-content/uploads/2023/03/echo/8-clone-freeipa-docker.png640f62be4a482.jpg" ezimgfmt="rs rscb5 src ng ngcb5" height="242" loading="lazy" src="data:image/svg xml,” width=”674″>

Now run the ‘ls‘ command below to verify the list of files and directories on the ‘freeipa-container’ repository. You should see multiple files of Dockerfile that you can use to set up the FreeIPA server on your Debian system.

ls

<img alt="list dockerfiles" data-ezsrc="https://kirelos.com/wp-content/uploads/2023/03/echo/9-list-dockerfiles.png640f62beb38d3.jpg" ezimgfmt="rs rscb5 src ng ngcb5" height="238" loading="lazy" src="data:image/svg xml,” width=”750″>

Next, enter the following command to build a new FreeIPA server Docker image. In this example, you will create a FreeIPA server Docker image based on the ‘AlmaLinux 9‘ and will be called ‘freeipa-almalinux9‘.

docker build -t freeipa-almalinux9 -f  Dockerfile.almalinux-9 .

Once the ‘docker build‘ command is executed, you should see the building process of the Docker image for the FreeIPA server.

<img alt="build docker images" data-ezsrc="https://kirelos.com/wp-content/uploads/2023/03/echo/10-build-docker-image.png640f62bf064da.jpg" ezimgfmt="rs rscb5 src ng ngcb5" height="218" loading="lazy" src="data:image/svg xml,” width=”750″>

When the process is finished, you should see the output such as ‘naming to …/…/freeipa-almalinux9‘.

<img alt="build finished" data-ezsrc="https://kirelos.com/wp-content/uploads/2023/03/echo/11-build-docker-image-finished.png640f62bf5781c.jpg" ezimgfmt="rs rscb5 src ng ngcb5" height="279" loading="lazy" src="data:image/svg xml,” width=”750″>

Run the following command to verify the list of Docker images that are available on your system. You should see the Docker image called ‘freeipa-almalinux9‘ created and available on your system.

docker images

<img alt="verify images" data-ezsrc="https://kirelos.com/wp-content/uploads/2023/03/echo/12-verify-images.png640f62bf9c4c2.jpg" ezimgfmt="rs rscb5 src ng ngcb5" height="151" loading="lazy" src="data:image/svg xml,” width=”680″>

With the FreeIPA Docker image created, you will install the FreeIPA server and configuration via Docker.

Creating FreeIPA Server Container

In this section, you will install and configure the FreeIPA server via the Docker container. You will run a new container with the base image ‘freeipa-almalinux9‘ that you have created, then you will start the configurations of the FreeIPA server. Once configurations are finished, you will next set up the port mapping of the FreeIPA server container to the Docker host machine.

First, type the following command to create a new data directory ‘/var/lib/freeipa-data’. This will be used as the FreeIPA server data directory.

sudo mkdir -p /var/lib/freeipa-data

Now run the following ‘docker run’ command to create and run the FreeIPA server container. In this example, you will create a new FreeIPA container called ‘freeipa-server-almalinux9‘ and store FreeIPA server data to the host machine on the ‘/var/lib/freeipa-data‘ directory.

docker run --name freeipa-server-almalinux9 -ti 

    -h ipa.hwdomain.lan --read-only --sysctl net.ipv6.conf.all.disable_ipv6=0 

    -v /sys/fs/cgroup:/sys/fs/cgroup:ro 

    -v /var/lib/freeipa-data:/data:Z freeipa-almalinux9

During the installation, you should be asked for some configurations of the FreeIPA server.

<img alt="create container freeipa server" data-ezsrc="https://kirelos.com/wp-content/uploads/2023/03/echo/13-create-container-freeipa.png640f62bfe334e.jpg" ezimgfmt="rs rscb5 src ng ngcb5" height="243" loading="lazy" src="data:image/svg xml,” width=”750″>

When asked to set up integrated DNS via BIND, press ENTER or input no.

<img alt="no dns setup" data-ezsrc="https://kirelos.com/wp-content/uploads/2023/03/echo/14-no-dns-setup.png640f62c03f1ca.jpg" ezimgfmt="rs rscb5 src ng ngcb5" height="350" loading="lazy" src="data:image/svg xml,” width=”750″>

Now input the server hostname, the domain name, and the REALM for your FreeIPA server.

<img alt="setup realm and domain" data-ezsrc="https://kirelos.com/wp-content/uploads/2023/03/echo/15-realm-domain.png640f62c07e0ea.jpg" ezimgfmt="rs rscb5 src ng ngcb5" height="356" loading="lazy" src="data:image/svg xml,” width=”676″>

Now type a new password and repeat for the Directory manager and IPA admin user.

<img alt="ipa admin and manager" data-ezsrc="https://kirelos.com/wp-content/uploads/2023/03/echo/16-ipa-manager-password.png640f62c0b95c0.jpg" ezimgfmt="rs rscb5 src ng ngcb5" height="335" loading="lazy" src="data:image/svg xml,” width=”698″>

For the NetBIOS name, leave it as default and press ENTER. As for NTP configuration, input no or just press ENTER.

<img alt="netbios name" data-ezsrc="https://kirelos.com/wp-content/uploads/2023/03/echo/17-netbios-name-ntp.png640f62c0f0194.jpg" ezimgfmt="rs rscb5 src ng ngcb5" height="215" loading="lazy" src="data:image/svg xml,” width=”675″>

Now check and verify the configuration of your FreeIPA server installation. When finished, type ‘yes‘ and press ENTER to confirm. With this, the FreeIPA server configuration should be running and take time.

<img alt="verify settings" data-ezsrc="https://kirelos.com/wp-content/uploads/2023/03/echo/18-verify-settings.png640f62c14f3dd.jpg" ezimgfmt="rs rscb5 src ng ngcb5" height="327" loading="lazy" src="data:image/svg xml,” width=”661″>

When the FreeIPA server configuration is finished, you should receive an output such as ‘Setup complete‘ and the instructions for the next steps.

<img alt="setup finished" data-ezsrc="https://kirelos.com/wp-content/uploads/2023/03/echo/19-setup-finished.png640f62c26e9f4.jpg" ezimgfmt="rs rscb5 src ng ngcb5" height="489" loading="lazy" src="data:image/svg xml,” width=”750″>

Now open a new terminal session and connect to your Debian server. Then, log in as the user ‘bob‘ and enter the following docker command to verify the running container on your system.

docker ps

You should see the container called ‘freeipa-server-almalinux9‘ with the status ‘Up‘.

<img alt="freeipa container running" data-ezsrc="https://kirelos.com/wp-content/uploads/2023/03/echo/20-check-container-freeipa.png640f62c2f12ba.jpg" ezimgfmt="rs rscb5 src ng ngcb5" height="62" loading="lazy" src="data:image/svg xml,” width=”750″>

At this point, the FreeIPA server is running with data that is now stored in the ‘/var/lib/freeipa-data‘ directory. In the next step, you must add port mapping for the FreeIPA server.

Enter the following command to stop the container ‘freeipa-server-almalinux9’ and remove it. This will remove the container, but not for the data directory ‘/var/lib/freeipa-data’.

docker stop freeipa-server-almalinux9

docker rm freeipa-server-almalinux9

Then run the following command to create a new container with port mapping for the FreeIPA server. This will create a new version of container ‘freeipa-server-almalinux9‘ with specific ports mapping to the host machine and using the same data as the previous FreeIPA server.

docker run --name freeipa-server-almalinux9 -ti 

    -h ipa.hwdomain.lan -p 53:53/udp -p 53:53 -p 80:80 -p 443:443 -p 389:389 -p 636:636 -p 88:88 -p 464:464 -p 88:88/udp -p 464:464/udp -p 123:123/udp 

    --read-only --sysctl net.ipv6.conf.all.disable_ipv6=0 

    -v /sys/fs/cgroup:/sys/fs/cgroup:ro 

    -v /var/lib/freeipa-data:/data:Z freeipa-almalinux9

Move again to another terminal session and run the following command to stop and start again the container ‘freeipa-server-almalinux9’. This will ensure that the container ‘freeipa-server-almalinux9’ is running in the background.

docker stop freeipa-server-almalinux9

docker start freeipa-server-almalinux9

Check again the list of running containers on your system you should see the container ‘freeipa-server-almalinux9’ is running with new ports mapped to the host machine.

docker ps

<img alt="check container ports" data-ezsrc="https://kirelos.com/wp-content/uploads/2023/03/echo/21-check-container-ports-updated.png640f62c360290.jpg" ezimgfmt="rs rscb5 src ng ngcb5" height="83" loading="lazy" src="data:image/svg xml,” width=”750″>

With this, the deployment of the FreeIPA Server via Docker is finished. Your FreeIPA server is now accessible from clients and also you’ve configured the administrator password for both IPA admin and Directory Manager.

Authenticate against FreeIPA Server

After installing the FreeIPA server via Docker, you will now verify the installation by authenticating to the Kerberos FreeIPA server from the Docker host server. To do that, you must ensure that the domain name of your FreeIPA server is pointed to the correct server, and you must have the Kerberos client utilities installed.

Before you start, open the ‘/etc/hosts‘ file on your Debian system using the following nano editor command.

sudo nano /etc/hosts

Add the following lines to the file and be sure to change the IP address and the domain name with your FreeIPA Server host.

192.168.5.10 ipa.hwdomain.lan

Save and close the file when you are done.

Next, install the ‘krb5-user‘ package to your system via the apt command below. This will install some Kerberos utilities that can be used to connect to your FreeIPA server.

sudo apt install krb5-user

Input y when prompted and press ENTER to proceed.

<img alt="install kinit" data-ezsrc="https://kirelos.com/wp-content/uploads/2023/03/echo/22-install-kinit.png640f62c3984f2.jpg" ezimgfmt="rs rscb5 src ng ngcb5" height="311" loading="lazy" src="data:image/svg xml,” width=”750″>

When asked for the default REALM configuration, input the REALm for your FreeIPA server – In this example, the REALM is ‘HWDOMAIN.LAN‘.

<img alt="default realm" data-ezsrc="https://kirelos.com/wp-content/uploads/2023/03/echo/22-default-realm.png640f62c406251.jpg" ezimgfmt="rs rscb5 src ng ngcb5" height="115" loading="lazy" src="data:image/svg xml,” width=”750″>

As for the Kerberos server, input the domain name of your FreeIPA server such as ‘ipa.hwdomain.lan’.

<img alt="default domain" data-ezsrc="https://kirelos.com/wp-content/uploads/2023/03/echo/23-default-domain.png640f62c452669.jpg" ezimgfmt="rs rscb5 src ng ngcb5" height="197" loading="lazy" src="data:image/svg xml,” width=”750″>

Use the same value for the administrative server for the Kerberos realm – ‘ipa.hwdomain.lan‘.

<img alt="default domain" data-ezsrc="https://kirelos.com/wp-content/uploads/2023/03/echo/24-default-server.png640f62c4a2c60.jpg" ezimgfmt="rs rscb5 src ng ngcb5" height="185" loading="lazy" src="data:image/svg xml,” width=”750″>

Now the installation should be finished and new settings are generated at the ‘/etc/krb5.conf‘ file.

With the Kerberos utilities installed, enter the following command to test the authentication to the Kerberos server that running as a Docker container. When prompted, input the admin password for your FreeIPA server.

kinit admin

Enter the following command to verify your authentication to the Kerberos server. When successful, you should get the details of the tickets for your Kerberos authentication.

klist

<img alt="authetication against Kebreros server" data-ezsrc="https://kirelos.com/wp-content/uploads/2023/03/echo/25-authenticate.png640f62c4d9b41.jpg" ezimgfmt="rs rscb5 src ng ngcb5" height="258" loading="lazy" src="data:image/svg xml,” width=”707″>

Lastly, you can also visit your FreeIPA server web administration dashboard. Be sure that the domain name of your FreeIPA server is added to the ‘/etc/hosts‘ file on your local machine.

Open your web browser and visit the FreeIPA server domain name (i.e: https://ipa.hwdomain.lan/). When successful, you should see the FreeIPA server login page.

Input the user admin and your password, then click Log in.

<img alt="freeipa login page" data-ezsrc="https://kirelos.com/wp-content/uploads/2023/03/echo/26-login-freeipa-web-admin.png640f62c53286b.jpg" ezimgfmt="rs rscb5 src ng ngcb5" height="605" loading="lazy" src="data:image/svg xml,” width=”750″>

When authentication is successful, you should see the web administration dashboard of your FreeIPA server.

<img alt="freeipa admin dashboard" data-ezsrc="https://kirelos.com/wp-content/uploads/2023/03/echo/27-freeipa-admin-dashboard.png640f62c573261.jpg" ezimgfmt="rs rscb5 src ng ngcb5" height="239" loading="lazy" src="data:image/svg xml,” width=”750″>

Adding FreeIPA User and Group Via Command Linux

There are different methods for managing the FreeIPA server that runs as a Docker container, you can manage it via a web administration dashboard or managing directory from the FreeIPA server container. In this section, you will manage the FreeIPA user and group via the ‘ipa’ command utility from the FreeIPA server container.

First, enter the following command to log in to the ‘freeipa-server-almalinux9′ container.

docker exec -it freeipa-server-almalinux9 /bin/bash

Once logged in, authenticate yourself against the Kerberos server via the user ‘admin‘. Then, verify the Kerberos ticket details. When prompted for the password, input the password for your Directory Manager.

kinit admin

klist

<img alt="login freeipa container" data-ezsrc="https://kirelos.com/wp-content/uploads/2023/03/echo/28-login-freeipa-container-kinit.png640f62c5ba4d4.jpg" ezimgfmt="rs rscb5 src ng ngcb5" height="272" loading="lazy" src="data:image/svg xml,” width=”706″>

After being authenticated to Kerberos, you can now start configuring the FreeIPA server.

Enter the following ‘ipa config-mod‘ command to set up the default shell for FreeIPA users to ‘/bin/bash‘.

ipa config-mod --defaultshell=/bin/bash

You should see the detail of user configurations for the FreeIPA server.

<img alt="default user settings" data-ezsrc="https://kirelos.com/wp-content/uploads/2023/03/echo/29-setup-default-user-settings.png640f62c605eb1.jpg" ezimgfmt="rs rscb5 src ng ngcb5" height="492" loading="lazy" src="data:image/svg xml,” width=”712″>

Next, enter the following command to create a new FreeIPA user called ‘ubuntu‘. Also, input a new password when prompted and repeat.

ipa user-add ubuntu --first=Ubuntu --last=Linux --password

Once added, you should get an output such as ‘Added user “ubuntu”‘.

<img alt="create user" data-ezsrc="https://kirelos.com/wp-content/uploads/2023/03/echo/30-create-user.png640f62c64c507.jpg" ezimgfmt="rs rscb5 src ng ngcb5" height="551" loading="lazy" src="data:image/svg xml,” width=”704″>

Now enter the following command to find the user ‘ubuntu‘ on your FreeIPA server. When the user is available, you should get an output such as ‘1 user matched‘. Also, you can see the details of the user ‘ubuntu‘.

ipa user-find ubuntu

<img alt="verify user" data-ezsrc="https://kirelos.com/wp-content/uploads/2023/03/echo/31-verify-user.png640f62c686545.jpg" ezimgfmt="rs rscb5 src ng ngcb5" height="414" loading="lazy" src="data:image/svg xml,” width=”412″>

You can also get the details of available users on FreIPA by entering the following command.

ipa user-show --raw ubuntu

Below is a similar output you will get.

<img alt="show user" data-ezsrc="https://kirelos.com/wp-content/uploads/2023/03/echo/32-show-user.png640f62c6bc40f.jpg" ezimgfmt="rs rscb5 src ng ngcb5" height="331" loading="lazy" src="data:image/svg xml,” width=”423″>

Next, create a new group ‘development‘ using the command ‘ipa group-add’ and verify the group to ensure that new is added and available.

ipa group-add --desc='Development Team' development

ipa group-find development

<img alt="create group" data-ezsrc="https://kirelos.com/wp-content/uploads/2023/03/echo/33-create-verify-group.png640f62c71e19b.jpg" ezimgfmt="rs rscb5 src ng ngcb5" height="409" loading="lazy" src="data:image/svg xml,” width=”644″>

Now run the following ‘ipa group-add-member’ command to add the FreeIPA user ‘ubuntu‘ to the group ‘development‘.

ipa group-add-member --user=ubuntu development

Verify the detail of group ‘development‘ using the following command. You should see the user ‘ubuntu‘ added to the group ‘development‘.

ipa group-show development

<img alt="add user to group" data-ezsrc="https://kirelos.com/wp-content/uploads/2023/03/echo/34-add-user-to-group.png640f62c75c48b.jpg" ezimgfmt="rs rscb5 src ng ngcb5" height="186" loading="lazy" src="data:image/svg xml,” width=”581″>

Adding Hosts to FreeIPA Server

FreeIPA provides the easiest way for adding a new host to the FreeIPA server, which can be done via the FreeIPA client package that provides the ‘ipa-client-install’ utility. In this section, you will add an Ubuntu machine to the FreeIPA server ‘ipa.hwdomain.lan‘ that runs as a container.

Below are the steps you must do to add a new host to the FreeIPA server:

• Setup FQDN and Timezone of the Client machine
• Installing FreeIPA Client packages
• Verify the FreeIPA Client machine

Now let’s start adding the Ubuntu machine to the FreeIPA Server Docker container.

Setup FQDN and Timezone

First, log in to your client machine and set up the fqdn using the following command.

sudo hostnamectl set-hostname client01.hwdomain.lan

Now open the config file ‘/etc/hosts‘ using the following nano editor command.

sudo nano /etc/hosts

Add the following lines to the file and be sure to change the details of the IP address, fqdn, and hostname.

192.168.5.10    ipa.hwdomain.lan        ipa

192.168.5.121   client01.hwdomain.lan   client01

Save the file when you’re done.

Now enter the following command to ensure that the fqdn of the client machine is pointed to the correct IP address and that the domain name of the FreeIPA server is also pointed to the correct and proper IP address.

ping -c3 ipa.hwdomain.lan

ping -c3 client01.hwdomain.lan

<img alt="setup cliebnt machine" data-ezsrc="https://kirelos.com/wp-content/uploads/2023/03/echo/36-setup-client.png640f62c7d048e.jpg" ezimgfmt="rs rscb5 src ng ngcb5" height="474" loading="lazy" src="data:image/svg xml,” width=”750″>

Next, enter the following command to set up the timezone of your client machine.

sudo timedatectl set-timezone Europe/Stockholm

Lastly, enter the following command to set up the ‘/etc/localtime‘ file to the proper timezone settings.

sudo unlink /etc/localtime

sudo ln -s /usr/share/timezone/Europe/Stockholm /etc/localtime

Installing FreeIPA Client

First, update and refresh your Ubuntu package index via the apt command below.

sudo apt update

Now install the FreeIPA client package using the following command. When prompted, input y to confirm and press ENTER to proceed.

sudo apt install freeipa-client oddjob-mkhomedir

<img alt="install freeipa client" data-ezsrc="https://kirelos.com/wp-content/uploads/2023/03/echo/38-install-freeipa-client.png640f62c874c65.jpg" ezimgfmt="rs rscb5 src ng ngcb5" height="390" loading="lazy" src="data:image/svg xml,” width=”750″>

When prompted for the default REALM domain name, input your main domain such as ‘HWDOMAIN.LAN‘.

<img alt="default realm" data-ezsrc="https://kirelos.com/wp-content/uploads/2023/03/echo/39-default-realm.png640f62c8dacf9.jpg" ezimgfmt="rs rscb5 src ng ngcb5" height="112" loading="lazy" src="data:image/svg xml,” width=”750″>

Input the Kerberos realm domain name with the FreeIPA server domain ‘ipa.hwdomain.lan‘.

<img alt="default domain" data-ezsrc="https://kirelos.com/wp-content/uploads/2023/03/echo/40-default-domain.png640f62c92508e.jpg" ezimgfmt="rs rscb5 src ng ngcb5" height="205" loading="lazy" src="data:image/svg xml,” width=”750″>

Lastly, input again the domain name of the FreeIPA server ‘ipa.hwdomain.lan‘ as an administrative server for the Kerberos server.

<img alt="default kerberos realm" data-ezsrc="https://kirelos.com/wp-content/uploads/2023/03/echo/45-default-kerberos-realm.png640f62c956a8b.jpg" ezimgfmt="rs rscb5 src ng ngcb5" height="184" loading="lazy" src="data:image/svg xml,” width=”750″>

Once the FreeIPA client package is installed, run the following command ‘ipa-client-install‘ to add the client machine to the FreeIPA server. Be sure to change the details of the FreeIPA server domain name and realm.

ipa-client-install --hostname=`hostname -f` 

--mkhomedir 

--server=ipa.hwdomain.lan 

--domain hwdomain.lan 

--realm HWDOMAIN.LAN

When asked to use the fixed configurations, input yes to confirm and press ENTER. As for the NTP server, leave it as default to no. Lastly, input yes again to confirm the installation.

<img alt="add client to freeipa" data-ezsrc="https://kirelos.com/wp-content/uploads/2023/03/echo/46-add-client-to-freeipa.png640f62c9af3ef.jpg" ezimgfmt="rs rscb5 src ng ngcb5" height="384" loading="lazy" src="data:image/svg xml,” width=”750″>

Below is the output during the installation and configurations.

<img alt="authenticate" data-ezsrc="https://kirelos.com/wp-content/uploads/2023/03/echo/47-authenticate.png640f62c9e854a.jpg" ezimgfmt="rs rscb5 src ng ngcb5" height="368" loading="lazy" src="data:image/svg xml,” width=”632″>

Once finished, the output such as ‘The ipa-client-install command was successful‘ will be prompted to your terminal screen.

<img alt="client added" data-ezsrc="https://kirelos.com/wp-content/uploads/2023/03/echo/48-client-added.png640f62ca25ac5.jpg" ezimgfmt="rs rscb5 src ng ngcb5" height="359" loading="lazy" src="data:image/svg xml,” width=”591″>

Verify Hosts FreeIPA Client

From the FreeIPA server, type the following command to connect to the client machine ‘192.168.5.121’ using the FreeIPA user ‘ubuntu’. When prompted, input yes to confirm and add the SSH fingerprint of the client machine, then input the password for the ‘ubuntu’ FreeIPA user.

ssh [email protected]

Once logged in, you should be asked to change the default current password. So, input the current password and input the new password and repeat.

<img alt="login to client machine via FreeIPA server" data-ezsrc="https://kirelos.com/wp-content/uploads/2023/03/echo/49-login-to-client-freeipa-user.png640f62ca64685.jpg" ezimgfmt="rs rscb5 src ng ngcb5" height="430" loading="lazy" src="data:image/svg xml,” width=”750″>

Lastly, enter the following command to identify your current user. You should see that you’ve logged into the client machine via the user ‘ubuntu‘, which is also part of the group ‘development‘.

id

whoami

<img alt="verify user" data-ezsrc="https://kirelos.com/wp-content/uploads/2023/03/echo/50-verify-user.png640f62ca919ef.jpg" ezimgfmt="rs rscb5 src ng ngcb5" height="130" loading="lazy" src="data:image/svg xml,” width=”750″>

Conclusion

In this tutorial, you have learned how to install and deploy the FreeIPA server via Docker on a Debian 11 server. You have also learned the basic usage of the ‘ipa’ command for creating and managing FreeIPA users and groups, and also learned how to obtain a Kerberos ticket via the kinit command and logged in to the FreeIPA web administration via the admin user and password.

Lastly, you have also added an ubuntu client machine to the FreeIPA server via the FreeIPA client package. You’ve learned step-by-step how to do it, and also verified your settings by logging into the client machine via FreeIPA user.

With this, you can now add more hosts, users, and groups to your FreeIPA server. You can also integrate FreeIPA into your production. To get details information, visit the FreeIPA’s official documentation.