FreeIPA - Part 2 - Install the FreeIPA Server and Client
First, let me apolgize for the odd, low quality that I have gotten out of my first 2 screen recordings. I'd love to blame it on Youtube, but I think it's just an effect from accidentally recording the wrong aspect ration on my iMac that runs Linux. Anyway, recorded the rest of the series on a different machine at proper 16:9 1920x1080, so those should be better.
Preparing our Server Machine for Install
Using Fedora 32 for our FreeIPA server, we need to get a few things cleaned up inside the system. So you can do all of these steps through the CLI on SSH, or you can use the Virt-Manager to view the actual desktop.
Sirst, let's run a couple of commands to make sure the system is fully up to date.
sudo dnf update -y
Once that completes, just reboot the server, and continue forward.
Setup our Network Interface
NOTE: I did this same set of steps on both my server (Fedora 32 Workstation) and client (Ubuntu 20.04) machines. Feel free to work on both at once if you like for this portion.
Next, let's set our network interface up to keep the IP it was given through DHCP, or set it up to request the static IP of your choosing on your network.
I did this step through the network manager UI, as for me it's just easier.
Open your Network Manager, and select the wired interface (this should be the only option in the virtual machines).
Next, click the settings gear icon for the wired interface. In the view that opens, make note of the assigned IP address (if you want to keep it, and use it), the DNS Mask, DNS IP address, and Gateway address.
Now, click on the IPv4 tab, and choose Manual from the options at the top. Next, enter the IP address from above (or the IP address you want the machine to have), then the DNS Mask (usually 255.255.255.0), and the Gateway IP Address.
Now, move down the interface to the DNS section and turn off automatic. Enter the DNS IP you saw previously (may be the same as the Gateway IP, but if you run your own DNS server, feel free to use that IP).
Save / Apply your changes, then turn off the Wired interface and turn it back on to get the changes to take effect.
Set the Hostname of the Server and Client Virtual Machines
Now we'll set the hostname of the server and client VM's. There is only 1 difference between these setup steps, and I'll point that out below when you get to it.
First, lets set the proper hostname for each machine in the /etc/hostname file.
You need to decide now what you want for your machine's FQDN (Fully Qualified Domain Name). This is a name similar to a website address. For my server I'll be using ipasrv.myhome.local, and for my client I"ll be using ipa01.myhome.local.
You want to know the following values moving forward:
- Server IP Mine is 192.168.7.154
- Client IP Mine is 192.168.7.153
- Server FQDN / hostname Mine is ipasrv.myhome.local
- Client FQDN / hostnam Mine is ipa01.myhome.local
- Domain Mine is myhome.local
- Realm Mine is MYHOME.LOCAL
In your terminal enter
sudo nano /etc/hostname
In the window that opens, if the hostname displayed is not your desired FQDN, then erase what's there, and enter the proper FQDN.
Save the file with CTRL + O, then press Enter, then use CTRL + X to exit the text editor.
Next, we need to set our hostname in the /etc/hosts file.
Enter the following in the terminal.
sudo nano /etc/hosts
Make a new line at the top of the file. Enter the IP Address for the machine you are working on, then tab one time and enter the FQDN of that machine. Now tab one more time and enter just the first portion of the FQDN (what I call the shortname). It should look something like this:
192.168.7.154 ipasrv.myhome.local ipasrv
192.168.7.153 ipa01.myhome.local ipa01
Here's that one difference I talked about above.
On your client, in the /etc/hosts file, you need to make a second entry.
Go to the bottom of the IPv4 section (just below the localhost entries), adn make a new line. Enter the IP, FQDN, and Shortname of the server on this line. It should look like:
192.168.7.154 ipasrv.myhome.local ipasrv
Now save each file with CTRL + O and press Enter, then exit nano with CTRL + X.
Set the Firewall Rules on our Server
Next, we need to set the firewall rules on our server, and luckily FreeIPA has 2 built in commands that will set everything we need.
Run the following 2 command in the temrinal. After each one, you sould get a
sudo firewall-cmd --add-service=freeipa-ldap --add-service=freeipa-ldaps
sudo firewall-cmd --add-service=freeipa-ldap --add-service=freeipa-ldaps --permanent
Install the FreeIPA Server and Supporting Software
For this point, I'll only be discussing what to do on the Server VM. We'll continue with the Client VM further down.
On our server we now need to install the FreeIPA server, and supporting software. Simply enter the following into the terminal to start the process.
sudo yum install freeipa-server freeipa-server-dns nfs-utils -y
After the installation finishes, you need to reboot your server VM so the NFSUtils package can take effect.
When you log back in, I suggest becoming root for just a bit using the
sudo su command. This just makes the rest of the process slightly simpler. If you prefer to continue typing sudo for all the commands, feel free to do so.
Now we are going to run the Full IPA Server install and Configuration. For this section just follow along with my screenshots, the video, and instructions below, and you should make it through - no problem.
or if you aren't root use
sudo ipa-server-install --mkhomedir
NOTE: the --makehomedir portion is very important. DO NOT leave it out.
Now the install becomes interactive.
At the prompt for configuring integrated DNS, type "yes", then press Enter.
Next, you'll be asked to confirm your server hostname. It should pick up the hostname from the /etc/hostname file, or the /etc/hosts file, and that should be displayed in square brackets. If the detected hostname is correct, press Enter to simply accept the default.
Next, you'll get a warning about skipping DNS resolution, but it's ok. It will then ask you to confirm the domian name, which again should be correct, and displayed in square brackets. If so, press Enter to continue.
Next they system will confirm the Realm, which should just be your domain in all caps. Confirm it is, and press Enter to accept the default as long as it'c correct.
After that you'll be asked to enter a Directory Manger password. This is like the super admin of the system, and you want to make this a long, strong password that you don't share with anyone else.
After the Directory Manger password, you'll be asked to enter the IPA Admin password. Again, make this a along, strong password, and remember it, as you'll need it to log into the Web UI, and to install the client software on the client machine.
Now, you'll be asked if you want to configure DNS forwarders. You should type "yes" here, and then check that it finds your DNS IP address (may be your DNS server, or the Geateway IP of your router depending on your setup).
If it doesn't find a correct IP for DNS, enter your Gateway IP, then press Enter. Skip any other entry of DNS IP if prompted.
Next you'll be asked about searching for Reverse Zones. Press Enter to accept the default, then Accept the [no] default for the chrony and NTP server IP.
When prompted to configure the system with these values, type "yes", then press Enter.
The rest of the install will proceed. As long as you don't hit any errors, you should get a system message that the IPA Server was successfully installed.
Once you get the Successful comment, you'll need to type one more command to setup your admin user, and enable the Web UI.
After typing "kinit admin", press Enter, and reboot the server VM.
You should now be able to route to the server IP or FQDN in your browser. If you're using a machine not on your myhome.local domain, you may need to enter the IP and FQDN in /etc/hosts.
Let's Install the Client IPA Software Now.
Now we'll install the client software, so moving over to the terminal for our client, let's make sure it's all up to date.
sudo apt update && sudo apt upgrade -y
Once that finishes, we'll reboot the client VM.
When it comes back up, we want to install the FreeIPA client, which isn't the full installation, but is a bit interactive.
sudo apt install freeipa-client -y
While it's installing you'll be asked to enter or verify the server hostname, domain / Realm, and Kerberos server. The server hostname and kerberos server hostname are the same, so in my case I just want to confirm it has
Domain / Realm =
Server / Kerberos server =
Once the installation is complete, you'll be ready to run the full client install and configuration. Use the command below to start:
Again, note that the flag --mkhomedir is extremely important, as if we don't in clude this on the server and client installation, the system will not know to create a home directory when we try to log in the first time with our IPA user, and it will just repeatedly bring you back to the login screen with no error or message of any kind.
When I run this, because of my DNS setup, I get a message about DNS discovery failutre. If you see this, it's ok, just fill in your domain, and press Enter if it's not autodiscovered.
Next, you'll be asked for the server hostname, so just fill it and press Enter.
You'll get a warning about autodiscovery, but just type"yes", and press Enter to continue.
You should get a summary showing all the values the client will use, so simply type "yes" at the prompt, and press Enter.
The installer will prompt for the user authorized to enroll computers, adn you'll enter
Then when prompted enter your IPA Admin user password set during the server install.
After a successful install message, you'll probably want to reboot one more time, just to be sure everyihing is setup and ready.
Now, if you go to the WEbUI for your server, and login with your IPA Admin user, you can click on the "Hosts" tab, and you should see both your server and client machines listed there.
Congratulations, you now have a FreeIPA server, and a FreeIPA Client setup and communicating.
Next, we'll cover the creation of a FreeIPA user, and logging into the client with those new user credentials.