How to Install FreeIPA in CentOS 8 and add a Client

How to Install FreeIPA in CentOS 8 and add a Client

FreeIPA is a free and open source identity management tool sponsored by Red Hat and it is the upstream for the Red Hat Identity Manager(IdM). In this guide, we will discuss on how to install and configure FreeIPA Server on CentOS 8 / RHEL 8 Linux server. FreeIPA Identity management system aims to provide an easy way of centrally managing Identity, Policy, and Audit for users and services. FreeIPA also provides the services like DNS and NTP.

What you get with FreeIPA

1. Central Authentication Management.
2. Fine-grained Access Control.
3. One Time Password (OTP).
4. Direct Connect to Active Directory.
5. Integrated Public Key Infrastructure (PKI) Service.

FreeIPA Server is composed of the following Open Source Projects.

• 389 Directory Server
• MIT Kerberos KDC 
• Dogtag Certificate System
• Bind DNS server (optional)
• Web UI / ipa Command Line tool
• NTP Server (optional)

Application Requirement:

• RAM = 4 GB
• CPU =2/4 vCPU
• Disk = 10 GB free space on /
• Internet Connection
• hostname : freeipa.example.com -- Resolvable FQDN

1. Set the  hostname of your server if not set already

[root@freeipa /]# hostnamectl set-hostname "freeipa.example.com"

2. Update the server using yum update command and then reboot it

[root@freeipa /]# yum update -y;reboot

3. Update the "/etc/hosts" file

Run the below echo command to update /etc/hosts file, replace the ip address and hostname as per your setup.

[root@freeipa /]# echo -e "192.168.1.23\tfreeipa.example.com\t ip" >> /etc/hosts

Install FreeIPA packages

[root@freeipa /]# yum module list idm
Failed to set locale, defaulting to C
Last metadata expiration check: 0:28:00 ago on Wed Oct 30 15:31:37 2019.
CentOS-8 - AppStream
Name    Stream       Profiles                                   Summary
idm     DL1          common [d], adtrust, client, dns, server   The Red Hat Enterprise Linux Identity Management system module
idm     client [d]   common [d]                                 RHEL IdM long term support client module

Hint: [d]efault, [e]nabled, [x]disabled, [i]nstalled
[root@freeipa /]# yum -y install @idm:DL1
Failed to set locale, defaulting to C
Last metadata expiration check: 0:31:05 ago on Wed Oct 30 15:31:37 2019.
Dependencies resolved.
================================================================================================================================
 Package                           Arch              Version                                         Repository            Size
================================================================================================================================
Installing group/module packages:
 ipa-client                        x86_64            4.7.1-11.module_el8.0.0+79+bbd20d7b             AppStream            266 k
Installing dependencies:
 bind-libs                         x86_64            32:9.11.4-17.P2.el8_0.1                         AppStream            169 k
 bind-libs-lite                    x86_64            32:9.11.4-17.P2.el8_0.1                         AppStream            1.1 M
 bind-license                      noarch            32:9.11.4-17.P2.el8_0.1                         AppStream             98 k
 bind-utils                        x86_64            32:9.11.4-17.P2.el8_0.1                         AppStream            433 k
 certmonger                        x86_64            0.79.6-5.el8                                    AppStream            654 k
 ipa-client-common                 noarch            4.7.1-11.module_el8.0.0+79+bbd20d7b             AppStream            169 k
[root@freeipa /]# yum -y install freeipa-server
Failed to set locale, defaulting to C
Last metadata expiration check: 0:33:25 ago on Wed Oct 30 15:31:37 2019.
Dependencies resolved.
================================================================================================================================
 Package                                Arch          Version                                            Repository        Size
================================================================================================================================
Installing:
 ipa-server                             x86_64        4.7.1-11.module_el8.0.0+79+bbd20d7b                AppStream        502 k

Start the FreeIPA setup 

Once the packages are installed successfully then use the below command to start the freeipa  setup.

Your Installation may not continue with following error if IPv6 is not disabled. If so follow this post.
ipapython.admintool: ERROR    IPv6 stack is enabled in the kernel but there is no interface that has ::1 address assigned. Add ::1 address resolution to 'lo' interface. You might need to enable IPv6 on the interface 'lo' in sysctl.conf.
ipapython.admintool: ERROR    The ipa-server-install command failed. See /var/log/ipaserver-install.log for more information

[root@freeipa /]# ipa-server-install

The log file for this installation can be found in /var/log/ipaserver-install.log
==============================================================================
This program will set up the IPA Server.

This includes:
  * Configure a stand-alone CA (dogtag) for certificate management
  * Configure the Network Time Daemon (ntpd)
  * Create and configure an instance of Directory Server
  * Create and configure a Kerberos Key Distribution Center (KDC)
  * Configure Apache (httpd)
  * Configure the KDC to enable PKINIT

To accept the default shown in brackets, press the Enter key.

The IPA Master Server will be configured with:
Hostname:       freeipa.example.com
IP address(es): 192.168.1.23
Domain name:    example.com
Realm name:     example.com

Continue to configure the system with these values? [no]: yes

After entering "yes" to setup in "Continue to configure the system with these values", it will proceed to setup your FreeIPA server and once it has been setup successfully then we will get output something like below,

Done.
Restarting the KDC
Configuring client side components
Using existing certificate '/etc/ipa/ca.crt'.
Client hostname: freeipa.example.com
Realm: example.com
DNS Domain: example.com
IPA Server: freeipa.example.com
BaseDN: dc=example,dc=com

Skipping synchronizing time with NTP server.
New SSSD config will be created
Configured sudoers in /etc/nsswitch.conf
Configured /etc/sssd/sssd.conf
trying https://freeipa.example.com/ipa/json
[try 1]: Forwarding 'schema' to json server 'https://freeipa.example.com/ipa/json'
trying https://freeipa.example.com/ipa/session/json
[try 1]: Forwarding 'ping' to json server 'https://freeipa.example.com/ipa/session/json'
[try 1]: Forwarding 'ca_is_enabled' to json server 'https://freeipa.example.com/ipa/session/json'
Systemwide CA database updated.
SSSD enabled
Configured /etc/openldap/ldap.conf
/etc/ssh/ssh_config not found, skipping configuration
/etc/ssh/sshd_config not found, skipping configuration
Configuring example.com as NIS domain.
Client configuration complete.
The ipa-client-install command was successful

Please add records in this file to your DNS system: /tmp/ipa.system.records.S_gTln.db
==============================================================================
Setup complete

Next steps:
        1. You must make sure these network ports are open:
                TCP Ports:
                  * 80, 443: HTTP/HTTPS
                  * 389, 636: LDAP/LDAPS
                  * 88, 464: kerberos
                UDP Ports:
                  * 88, 464: kerberos
                  * 123: ntp

        2. You can now obtain a kerberos ticket using the command: 'kinit admin'
           This ticket will allow you to use the IPA tools (e.g., ipa user-add)
           and the web user interface.

Be sure to back up the CA certificates stored in /root/cacert.p12
These files are required to create replicas. The password for these
files is the Directory Manager password
[root@freeipa /]#

Verify FreeIPA processes

Use the below command to check whether all services of FreeIPA are running or not

[root@freeipa /]# ipactl status
Directory Service: RUNNING
krb5kdc Service: RUNNING
kadmin Service: RUNNING
httpd Service: RUNNING
ipa-custodia Service: RUNNING
ntpd Service: RUNNING
pki-tomcatd Service: RUNNING
ipa-otpd Service: RUNNING
ipa: INFO: The ipactl command was successful
[root@freeipa /]#

Open Ports in Firewall:

# firewall-cmd --permanent --add-service={ntp,http,https,ldap,ldaps,kerberos,kpasswd,dns}
success
# firewall-cmd --reload
success

With RHEL 7.2, new Firewalld FreeIPA configuration files have been created: freeipa-ldap and freeipa-ldaps
To open the ports for http-TCP 80, https-TCP 443, kerberos-TCP/UDP 88, kpasswd-TCP/UDP 464, ntp-TCP 123, ldap-TCP 389, type:

# firewall-cmd –permanent –add-service freeipa-ldap

To open the ports for http-TCP 80, https-TCP 443, kerberos-TCP/UDP 88, kpasswd-TCP/UDP 464, ntp-TCP 123, ldaps-TCP 634, type:

# firewall-cmd –permanent –add-service freeipa-ldaps

Obtain a kerberos ticket using the command: 'kinit admin'

[root@freeipa /]# kinit admin
Password for admin@example.com:
[root@freeipa /]#
[root@freeipa /]# klist
Ticket cache: KEYRING:persistent:0:0
Default principal: admin@example.com

Valid starting     Expires            Service principal
03/28/20 15:40:56  03/29/20 15:40:34  krbtgt/example.com@example.com
[root@freeipa /]#

Allow User’s home directory creation automatically 

[root@freeipa /]# authconfig --enablemkhomedir --update

 FreeIPA admin portal will be available at:

https://freeipa.example.com/ipa/ui

Centos 7 / RHEL 7 : SSSD couldn't load the configuration database [5]: Input/output error.

Uninstall FreeIPA Server

[root@freeipa /]# ipa-server-install --uninstall

This is a NON REVERSIBLE operation and will delete all data and configuration!
It is highly recommended to take a backup of existing data and configuration using ipa-backup utility before proceeding.

Are you sure you want to continue with the uninstall procedure? [no]: yes
-------------------------------------------------
Deleted IPA server "freeipa.example.com"
-------------------------------------------------
Shutting down all IPA services
Unconfiguring ntpd
Configuring certmonger to stop tracking system certificates for KRA
Configuring certmonger to stop tracking system certificates for CA
Unconfiguring CA
Unconfiguring krb5kdc
Unconfiguring kadmin
Unconfiguring directory server
Unconfiguring ipa-custodia
Removing IPA client configuration
Unconfigured automount client failed: Command '/usr/sbin/ipa-client-automount --uninstall --debug' returned non-zero exit status 1
Removing Kerberos service principals from /etc/krb5.keytab
Disabling client Kerberos and LDAP configurations
Redundant SSSD configuration file /etc/sssd/sssd.conf was moved to /etc/sssd/sssd.conf.deleted
nscd daemon is not installed, skip configuration
nslcd daemon is not installed, skip configuration
Client uninstall complete.
The ipa-client-install command was successful
[root@freeipa /]#

Add a Client to FreeIPA

[root@freeipa ~]# yum install freeipa-client -y
Loaded plugins: fastestmirror
Loading mirror speeds from cached hostfile
[root@freeipa ~]# ipa-client-install --mkhomedir --force-ntpd
DNS discovery failed to determine your DNS domain
Provide the domain name of your IPA server (ex: example.com): example.com
Discovery was successful!
Client hostname: client1.example.com
Realm: example.com
DNS Domain: example.com
IPA Server: freeipa.example.com
BaseDN: dc=example,dc=com

Continue to configure the system with these values? [no]: yes
Synchronizing time with KDC...
Attempting to sync time using ntpd.  Will timeout after 15 seconds
Attempting to sync time using ntpd.  Will timeout after 15 seconds
Unable to sync time with NTP server, assuming the time is in sync. Please check that 123 UDP port is opened.
User authorized to enroll computers: admin
Password for admin@example.com:
Successfully retrieved CA cert
    Subject:     CN=Certificate Authority,O=example.com
    Issuer:      CN=Certificate Authority,O=example.com
    Valid From:  2020-03-28 15:28:34
    Valid Until: 2040-03-28 15:28:34

Enrolled in IPA realm example.com
Created /etc/ipa/default.conf
New SSSD config will be created
Configured sudoers in /etc/nsswitch.conf
Configured /etc/sssd/sssd.conf
Configured /etc/krb5.conf for IPA realm example.com
trying https://freeipa.example.com/ipa/json
[try 1]: Forwarding 'schema' to json server 'https://freeipa.example.com/ipa/json'
trying https://freeipa.example.com/ipa/session/json
[try 1]: Forwarding 'ping' to json server 'https://freeipa.example.com/ipa/session/json'
[try 1]: Forwarding 'ca_is_enabled' to json server 'https://freeipa.example.com/ipa/session/json'
Systemwide CA database updated.
Adding SSH public key from /etc/ssh/ssh_host_rsa_key.pub
Adding SSH public key from /etc/ssh/ssh_host_ecdsa_key.pub
Adding SSH public key from /etc/ssh/ssh_host_ed25519_key.pub
[try 1]: Forwarding 'host_mod' to json server 'https://freeipa.example.com/ipa/session/json'
Could not update DNS SSHFP records.
SSSD enabled
Configured /etc/openldap/ldap.conf
NTP enabled
Configured /etc/ssh/ssh_config
Configured /etc/ssh/sshd_config
Configuring example.com as NIS domain.
Client configuration complete.
The ipa-client-install command was successful
[root@freeipa ~]#

How to Install FreeIPA in CentOS 7 and add a Client
How to Add FreeIPA User in command line interface (CLI) and Web UI

How to Configure 2 factor Authentication or OTP  in FreeIPA

More