FreeIPA Deploy

Distro to use

Make sure use red hat base distro.

Downstream is more stable so use Rocky or Alma Linux.

Prerequisite

Set status IP, Make sure Search domains match FQDN

nmtui

Change hostname to FQDN

hostnamectl hostname xxx.xxx.xxx

Change /etc/hosts add

xxx.xxx.xxx.xxx FQDN hostname

IPA install

dnf update
dnf install ipa-server ipa-server-dns

Start to deploy

ipa-server-install --mkhomedir
  1. Type yes for DNS
  2. Check for host name, should be FQDN
  3. Check domain name, should be the domain name
  4. Check realm name, should be the domain name all in capital
  5. Type in directory manager password
  6. Type in IPA admin password
  7. Choose yes for DNS forwarders
  8. Check the DNS server, add another one if needed
  9. Choose yes for search for missing reverse zone
  10. Choose no for NTP server
  11. Check the summery then type in yes
Setup complete

Next steps:
        1. You must make sure these network ports are open:
                TCP Ports:
                  * 80, 443: HTTP/HTTPS
                  * 389, 636: LDAP/LDAPS
                  * 88, 464: kerberos
                  * 53: bind
                UDP Ports:
                  * 88, 464: kerberos
                  * 53: bind
                  * 123: ntp

        2. You can now obtain a kerberos ticket using the command: 'kinit admin'
           This ticket will allow you to use the IPA tools (e.g., ipa user-add)
           and the web user interface.

Be sure to back up the CA certificates stored in /root/cacert.p12
These files are required to create replicas. The password for these
files is the Directory Manager password

Firewall setting

firewall-cmd --add-port={80,443,389,636,88,464,53}/tcp --permanent
firewall-cmd --add-port={88,464,53,123}/udp --permanent

Kerberos ticket

kinit admin

Type in admin password

Access Web interface

To access web interface, you will need to change your device DNS to IPA’s address or add the temporally dns record to the device.

Use admin credenrtial to login

FreeIPA Client Install

Client can be either red hat base or debian base.

Change hostname to FQDN and check /etc/hosts and /etc/hostname are the same

hostnamectl hostname xxx.xxx.xxx
/etc/hosts
xxx.xxx.xxx.xxx FQDN hostname

Change DNS to IPA address

/etc/resolve.conf
nameserver IPS's ip

For debian change resolve to read only, change + to – to cancel read only

chattr +i /etc/resolv.conf

Install ipa-client

apt install freeipa-client
dnf install ipa-client

Configuring Kerberos Authenticaiton

  • Default Kerberos version 5 realm: Type in doamin name in all capital
  • Kerberos servers for your realm: Type in IPA FQDN lower case
  • Administrative server for your Kerberos realm: Same, Type in IPA FQDN lower case

Deploy IPA Client

Start to deploy

ipa-client-install --mkhomedir

User authorized to enroll computers: admin

Type in admin password