After you have installed the FreeIPA identity management system, you will need to enroll and add client machines to the FreeIPA server. This will ensure FreeIPA users to log in to any client machines that are enrolled on the FreeIPA server.

In this tutorial, we will show you how to add an Ubuntu client machine to the FreeIPA server. In the end, the FreIPA users will be able to log in to the Ubuntu client machines using the authentication provides by the FreeIPA server.

Prerequisites

  • A FreeIPA server is fully configured.
  • An Ubuntu Linux machine – server or desktop.
  • A non-root user with sudo administrator privileges.

Add User on FreeIPA Server

Before you start configuring the Ubuntu client machine, connect to your FreeIPA server using the ssh command below.

ssh [email protected]

Now run the below command to authenticate against the Kerberos server. 

kinit admin

This will prompt you for a password for the Kerberos admin. Input the correct password.

Next, verify the authentication by checking the available Kerberos ticket using the below command. 

klist

You will see the following screenshot if you are authenticated to the Kerberos server.

<img alt="authenticate against admin" data-ezsrc="https://kirelos.com/wp-content/uploads/2022/05/echo/1-authenticate-as-admin-kerberos.png6284ddc41670c.jpg" ezimgfmt="rs rscb5 src ng ngcb5" height="246" loading="lazy" src="data:image/svg xml,” width=”736″>

Now you will be setting up the FreeIPA server using the ipa command line.

Change the default shell for FreeIPA users to /bin/bash using the below command. 

ipa config-mod --defaultshell=/bin/bash

You will all default configurations for FreeIPA users below. As you can see, the default shell is changed to /bin/bash.

<img alt="setup default shell freeipa users" data-ezsrc="https://kirelos.com/wp-content/uploads/2022/05/echo/2-setup-default-shell-for-freeipa-users.png6284ddc446ac9.jpg" ezimgfmt="rs rscb5 src ng ngcb5" height="428" loading="lazy" src="data:image/svg xml,” width=”750″>

Now run the below command to create a new FreeIPA user named laura. 

ipa user-add laura --first=Laura --last=Admin --password

You will be asked to input a strong password for the user laura, then the new user will be created.

<img alt="add user freeipa" data-ezsrc="https://kirelos.com/wp-content/uploads/2022/05/echo/3-add-user-freeipa.png6284ddc458225.jpg" ezimgfmt="rs rscb5 src ng ngcb5" height="531" loading="lazy" src="data:image/svg xml,” width=”706″>

Add DNS Record for Ubuntu Client on FreeIPA Server

After setting up a new user, you will now need to add the DNS configuration for the Ubuntu client machine. In this example, the Ubuntu client machine is running with IP address 192.168.10.50 with the hostname ubuntu-node.

Now add the DNS configuration for the ubuntu-node using the below command. You will also need to change the domain name hwdomain.io using your DNS zone of the FreeIPA server and all details of the client machine. 

ipa dnsrecord-add hwdomain.io ubuntu-node.hwdomain.io --a-rec 192.168.10.50

Verify the DNS configuration using the below command. 

ipa dnsrecord-find hwdomain.io ubuntu-node.hwdomain.io

Below you can see the FQDN ubuntu-node.hwdomain.io is resolved to the client IP address 192.168.10.50.

Additionally, if you run the ping command from the FreeIPA server to the FQDN ubuntu-node.hwdomain.io, the domain will automatically be resolved to the correct IP address defined on the FreeIPA server. 

ping ubuntu-node.hwdomain.io -c5

You have now created the FreeIPA user and configured the DNS record for the client machine.

Setting FQDN and /etc/hosts

Now move to the Ubuntu client machine and start configuring the FQDN and /etc/hosts file on the client machine.

Run the below command to set up the FQDN to ubuntu-node-.hwdomain.io. 

sudo hostnamectl set-hostname ubuntu-node.hwdomain.io

Now edit the configuration /etc/hosts using nano editor. 

sudo nano /etc/hosts

Change the detailed IP addresses and domain names, then add the configuration to the file.Advertisement 

192.168.10.25 ipa.hwdomain.io

192.168.10.50 ubuntu-node.hwdomain.io

Save and close the file when you are done.

Next, run the dig command below to verify the FQDN and /etc/hosts file configuration. 

dig  short ubuntu-node.hwdomain.io A

dig  short -X 192.168.10.50

You will see the following screenshot, the FQDN ubuntu-node.hwdomain.io is resolved to the IP address 192.169.10.50 and vice-versa.

<img alt="setup fqdn and /etc/hosts file" data-ezsrc="https://kirelos.com/wp-content/uploads/2022/05/echo/4-setup-client-fqdn-hosts-file.png6284ddc47163d.jpg" ezimgfmt="rs rscb5 src ng ngcb5" height="239" loading="lazy" src="data:image/svg xml,” width=”750″>

Adding Ubuntu Client to FreeIPA

After configuring the FQDN and /etc/hosts file, you will now be installing the FreeIPA client package and start adding your Ubuntu client to the FreIPA server.

Before start installing any packages, update and refresh your Ubuntu repository using the below command. 

sudo apt update

Now install the FreeIPA client package using the below command. 

sudo apt install freeipa-client oddjob-mkhomedir

Input Y to confirm the installation and press ENTER to continue.

<img alt="install freeipa client" data-ezsrc="https://kirelos.com/wp-content/uploads/2022/05/echo/5-install-freeipa-client.png6284ddc499b4e.jpg" ezimgfmt="rs rscb5 src ng ngcb5" height="260" loading="lazy" src="data:image/svg xml,” width=”750″>

During the installation, you will be asked to set up the default REALM. Leave it as default, because it will automatically be detected based on your FQDN.

<img alt="confirm realm domain" data-ezsrc="https://kirelos.com/wp-content/uploads/2022/05/echo/6-confirm-default-realm.png6284ddc4b7468.jpg" ezimgfmt="rs rscb5 src ng ngcb5" height="111" loading="lazy" src="data:image/svg xml,” width=”750″>

Now leave all the res questions about the Kerberos configuration blank and select <img alt="skip kerberos authentication" data-ezsrc="https://kirelos.com/wp-content/uploads/2022/05/echo/7-skip-default-realm-server.png6284ddc4e4a52.jpg" ezimgfmt="rs rscb5 src ng ngcb5" height="202" loading="lazy" src="data:image/svg xml,” width=”750″>.

<img alt="skip kerberos configuration" data-ezsrc="https://kirelos.com/wp-content/uploads/2022/05/echo/8-skip-hostname-for-realm.png6284ddc51bf6b.jpg" ezimgfmt="rs rscb5 src ng ngcb5" height="170" loading="lazy" src="data:image/svg xml,” width=”750″>

The FreeIPA client package is now installed on your Ubuntu client machine.

Next, run the ipa-client-install command below to add the Ubuntu client machine to the FreeIPA server. Be sure to change the FreeIPA server address, domain name, and REALM. 

ipa-client-install --hostname=`hostname -f` 

--mkhomedir 

--server=ipa.hwdomain.io 

--domain hwdomain.io 

--realm HWDOMAIN.IO

During the installation, you will be asked for the following configurations:

  • Input yes when asked about the autodiscovery configuration.
  • Leave the NTP configuration as default no.
  • Check your detailed FreeIPA server configuration and input yes to confirm the installation.
  • Now input the user admin for the Kerberos authentication.
  • Input the password for the Kerberos admin user.

<img alt="add freeipa client" data-ezsrc="https://kirelos.com/wp-content/uploads/2022/05/echo/9-add-ubuntu-to-freeipa-server.png6284ddc5335b0.jpg" ezimgfmt="rs rscb5 src ng ngcb5" height="674" loading="lazy" src="data:image/svg xml,” width=”750″>

When all configuration is completed, you will see a message such as “Client configuration completed.”.

<img alt="installation completed" data-ezsrc="https://kirelos.com/wp-content/uploads/2022/05/echo/10-client-added.png6284ddc56bc15.jpg" ezimgfmt="rs rscb5 src ng ngcb5" height="361" loading="lazy" src="data:image/svg xml,” width=”613″>

Next, run the below command to change the PAM authentication module configuration. 

sudo pam-auth-update

Select the PAM profile “Create a home directory on login” to enable it, then select OK to confirm.

<img alt="setup pam module" data-ezsrc="https://kirelos.com/wp-content/uploads/2022/05/echo/11-enablepma-automatically-create-home.png6284ddc59269a.jpg" ezimgfmt="rs rscb5 src ng ngcb5" height="364" loading="lazy" src="data:image/svg xml,” width=”750″>

Now all configurations of the FreeIPA client machine are completed.

Logging in to Ubuntu Client with FreeIPA User

To verify your Ubuntu client machine configuration, move back to the FreeIPA server and connect to the ubuntu-node.hwdomain.io using the FreeIPA user laura. Also, make sure the password authentication on your Ubuntu client machine is enabled.

Connect to the Ubuntu client machine using the FreeIPA user as below. 

ssh [email protected]

Input the password for the FreeIPA user. When the password is correct, you will be asked to input again the password and change the default password to the new one. So be sure to use a strong password for your user.

When you are connected, you will see the output like the following screenshot. The FreeIPA user laura is logged in to the ubuntu-node machine using the SSH authentication.

<img alt="login to ubuntu client with freeipa user" data-ezsrc="https://kirelos.com/wp-content/uploads/2022/05/echo/12-login-to-ubuntu-client-with-freeipa-user.png6284ddc5bf8b2.jpg" ezimgfmt="rs rscb5 src ng ngcb5" height="377" loading="lazy" src="data:image/svg xml,” width=”750″>

Conclusion

Congratulation! You have now learned how to add the Ubuntu client machine to the FreeIPA server, You have also learned the basic ipa command for managing FreeIPA users and DNS configuration, and also the basic configuration for the PAM module.

Show Comments