Freeipa Client Installation

For more information on Red Hat's FreeIPA, visit freeipa.org

Description:

---

FreeIPA is an integrated security information management solution combining
Linux (Fedora), 389 Directory Server, MIT Kerberos, NTP, DNS, Dogtag (Certificate System).
It consists of a web interface and command-line administration tools, and
provides centralized authentication, authorization and account information by storing
data about user, groups, hosts and other objects necessary to manage computers on the network.

Pre-Requisites:

---

1.    OS:

These instructions can be performed on

•   CentOS 6-7
•   RHEL 6-7
•   Debian Jessie (8) and later.
•   Ubuntu 15.04 and later.

2.    Set host file entry:

Set host file entry so that the ipa client can resolve itself by its FQDN. This should be the first entry.

Set the host file in /etc/hosts

1.2.3.10        client.yourcompany.com client

3.    Set the hostname to an FQDN:

Ensure that the hostname is set to a Fully Qualified Domain Name.
There are 2 steps to ensuring that the hostname is set correctly:
The first is editing the /etc/hostname file,
the second is by setting the hostname using hostnamectl.

client.yourcompany.com

hostnamectl set-hostname client.yourcompany.com

4.    Set up proper DNS resolvers:

Next you will need to ensure that the client is resolving DNS from the IPA server.
To do this, either the adapter config can be set to include the DNS address of the
IPA server, or by modifying the /etc/resolv.conf file and adding the IPA
server IP as the primary nameserver.

  RHEL   &     CentOS   Installations:

---

In CentOS/RHEL, the network adapter can be found in /etc/sysconfig/network-scripts/ifcfg-enoxxxxx
Edit the file, and add the following line, substituting 1.2.3.4 for the IP address
of your IPA server.

DNS1=1.2.3.4

systemctl restart network.service

  Debian   &     Ubuntu   Installations:

---

In Debian Jessie/Ubuntu > 15.04, the network adapter can be found in /etc/network/interfaces
Edit the file, and add the following line, substituting 1.2.3.4 for the IP address
of your IPA server in the eth0 ip block.

dns-nameservers 1.2.3.4 1.2.3.5  

systemctl restart networking.service

Manually Edit resolv.conf:

---

In order to set the nameserver manually, edit the /etc/resolv.conf file, and
add the proper nameserver line, substituting 1.2.3.4 for the IP address
of your IPA server. Ensure that the nameserver entries defining your IPA servers
are the first in the nameserver list.

nameserver 1.2.3.4

Install the IPA Client:

---

  RHEL   /     CentOS   Client:

---

1.    Install Epel:

yum install -y epel-release

2.    Install the ipa client:

yum install -y ipa-client

3.    Register the client:

ipa-client-install --no-ntp --no-dns-sshfp --mkhomedir --enable-dns-updates --ssh-trust-dns

  Debian   /     Ubuntu   Client:

---

1.    Install the numeezy repository:

The team over at numeezy already maintains a freeipa client for Debian/ubuntu,
so instead of rolling our own, we are going to use theirs.

wget -qO - http://apt.numeezy.fr/numeezy.asc | apt-key add -
echo -e 'deb http://apt.hgb.fr jessie main' >> /etc/apt/sources.list

2.    Install the ipa client:

apt-get update
apt-get install -y freeipa-client

3.    Create certificate directory:

mkdir -p /etc/pki/nssdb

4.    Create an empty certificate directory:

certutil -N -d /etc/pki/nssdb

5.    Create IPA root directory:

mkdir -p /var/run/ipa

6.    Remove Existing Client Configure:

rm -f /etc/ipa/default.conf

7.    Register the client:

ipa-client-install --no-ntp --no-dns-sshfp --mkhomedir --enable-dns-updates --ssh-trust-dns

8.    Enable LDAP folder creation:

echo 'session required pam_mkhomedir.so' >> /etc/pam.d/common-session

9.    Setup nsswitch.conf to use IPA:

Edit the /etc/nsswitch.conf file and change the following lines

passwd: files sss
group: files sss
shadow: files sss

Reboot:

---

Reboot the server

Post Requisites:

---

None

References:

---

clusterfrak.com