Linux
Trending

How to Configure FreeIPA Client on Ubuntu 18.04 / CentOS 7 for Centralize Authentication

In our previous article we have already discussed about FreeIPA and its installation steps on CentOS 7 Server, in this article we will discuss how an Ubuntu 18.04 and CentOS 7 machine can be integrated to FreeIPA Server for centralize authentication.

I am assuming “sysadm” user is already created on FreeIPA Sever for Linux Systems for centralize authentication, if not then execute the below commands from FreeIPA server to create the user,

[[email protected] ~]# kinit admin
Password for [email protected]:
[[email protected] ~]# ipa config-mod --defaultshell=/bin/bash
[[email protected] ~]# ipa user-add sysadm --first=System --last=Admin --password
Password:
Enter Password again to verify:
-------------------
Added user "sysadm"
-------------------
  User login: sysadm
  First name: System
  Last name: Admin
  Full name: System Admin
  Display name: System Admin
  Initials: SA
  Home directory: /home/sysadm
  GECOS: System Admin
  Login shell: /bin/bash
  Principal name: [email protected]
  Principal alias: [email protected]
  User password expiration: 20181118194031Z
  Email address: [email protected]
  UID: 1285200003
  GID: 1285200003
  Password: True
  Member of groups: ipausers
  Kerberos keys available: True
[[email protected] ~]#

First command is to get Kerberos credentials and second command to set default login shell for all users as “/bin/bash” and third command used for creating the user with name “sysadm

Steps to configure FreeIPA Client on Ubuntu 18.04 system

Step:1) Add DNS record of Ubuntu 18.04 system on FreeIPA Server

Login to your FreeIPA Server( In my case it is installed on CentOS 7) and run the beneath command to add dns record for FreeIPA client (i.e Ubuntu 18.04 system)

[[email protected] ~]# ipa dnsrecord-add linuxtechi.lan app01.linuxtechi.lan --a-rec 192.168.1.106
  Record name: app01.linuxtechi.lan
  A record: 192.168.1.106
[[email protected] ~]#

In the above command app01.linuxtechi.lan is my Ubuntu 18.04 system with IP address 192.168.1.106.

Note: Make sure your FreeIPA Server and Clients are on the same timezone and getting the time from NTP Servers.

Step:2) Install FreeIPA client Packages using apt-get command

Run the below command from your ubuntu system to install freeipa-client along with the dependencies,

[email protected]:~$ sudo apt-get install freeipa-client oddjob-mkhomedir -y

While installing the freeipa-client, we will below screen, Hit enter to Skip

Step:3) Update /etc/hosts file of FreeIPA client (Ubuntu 18.04)

Add below entries of your FreeIPA Server in /etc/hosts file

[email protected]:~$ echo "192.168.1.105 ipa.linuxtechi.lan ipa" | sudo tee -a /etc/hosts

Change IP address and hostname that suits to your setup.

Step:4) Configure FreeIPA client using command ‘ipa-client-install’

Now run “ipa-client-install” command to configure freeipa-client on your ubuntu 18.04 system,

[email protected]:~$ sudo ipa-client-install --hostname=`hostname -f` --mkhomedir --server=ipa.linuxtechi.lan --domain linuxtechi.lan --realm LINUXTECHI.LAN

Change the FreeIPA Server address, domain name and realm that suits to your setup.

Output of above command would be something like below :

Now allow user’s home direction to be created automatically when they first time authenticated with FreeIPA Server.

Append the following line in the file “/usr/share/pam-configs/mkhomedir”

required pam_mkhomedir.so umask=0022 skel=/etc/skel

[email protected]:~$ echo "required pam_mkhomedir.so umask=0022 skel=/etc/skel" | sudo tee -a /usr/share/pam-configs/mkhomedir

Apply the above changes using following command,

[email protected]:~$ sudo pam-auth-update

Select OK and then hit enter,

Now try to login or ssh to your Ubuntu 18.04 system with sysadm user.

Step:5) Try to Login to your Ubuntu 18.04 System with sysadm user

Now ssh to your ubuntu 18.04 system using the sysadm user,

# ssh [email protected]
[email protected]'s password:
X11 forwarding request failed on channel 0
Password expired. Change your password now.
Creating directory '/home/sysadm'.
Welcome to Ubuntu 18.04 LTS (GNU/Linux 4.15.0-20-generic x86_64)
 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/advantage
 * Canonical Livepatch is available for installation.
   - Reduce system reboots and improve kernel security. Activate at:
     https://ubuntu.com/livepatch
418 packages can be updated.
166 updates are security updates.
WARNING: Your password has expired.
You must change your password now and login again!
Current Password:
New password:
Retype new password:
passwd: password updated successfully
Connection to 192.168.1.106 closed.

As we can see, at the first time authentication, it will prompt us to set the new password as the password is expired and will disconnect that session.

Now try to ssh ubuntu system and this time we should able to connect,

# ssh [email protected]
Welcome to Ubuntu 18.04 LTS (GNU/Linux 4.15.0-20-generic x86_64)
Last login: Sat Dec  8 21:37:44 2018 from 192.168.1.101
/usr/bin/xauth:  timeout in locking authority file /home/sysadm/.Xauthority
[email protected]:~$
[email protected]:~$ id
uid=1285200003(sysadm) gid=1285200003(sysadm) groups=1285200003(sysadm)
[email protected]:~$

This confirms that we have successfully configure FreeIPA Client on Ubuntu 18.04 system.

Steps to configure FreeIPA Client on CentOS 7 System

Step:1) Add DNS record of CentOS 7 on FreeIPA Server

Run the following command from FreeIPA server,

[[email protected] ~]# ipa dnsrecord-add linuxtechi.lan db01.linuxtechi.lan --a-rec 192.168.1.103
  Record name: db01.linuxtechi.lan
  A record: 192.168.1.103
[[email protected] ~]#

Step:2) Add the FreeIPA Server details in /etc/hosts

Login to your centos 7 system and add the following in /etc/hosts file

[[email protected] ~]# echo "192.168.1.105 ipa.linuxtechi.lan ipa" >> /etc/hosts
[[email protected] ~]# echo "192.168.0.103 db01.linuxtechi.lan" >> /etc/hosts

Step:3 Install and Configure FreeIPA Client

Use the below command to install FreeIPA client on CentOS 7 system,

[[email protected] ~]# yum install freeipa-client -y

Now configure FreeIPA client using “ipa-client-install” command,

[[email protected] ~]# ipa-client-install --hostname=`hostname -f` --mkhomedir --server=ipa.linuxtechi.lan --domain linuxtechi.lan --realm LINUXTECHI.LAN

Use the same details and credentials that we have used while the same command in Ubuntu 18.04 system

If the above command is executed successfully then we should the output something like below,

………………………………………………
[try 1]: Forwarding 'host_mod' to json server 'https://ipa.linuxtechi.lan/ipa/session/json'
Could not update DNS SSHFP records.
SSSD enabled
Configured /etc/openldap/ldap.conf
Configured /etc/ssh/ssh_config
Configured /etc/ssh/sshd_config
Configuring linuxtechi.lan as NIS domain.
Client configuration complete.
The ipa-client-install command was successful
[[email protected] ~]#

Run the below command so that User’s home directory is created automatically at the first login,

[[email protected] ~]# authconfig --enablemkhomedir --update
[[email protected] ~]#

Now you should able to login to CentOS 7 system with sysadm user.

Steps to uninstall FreeIPA Client from Ubuntu 18.04 / CentOS 7

[[email protected] ~]# ipa-client-install --uninstall
[[email protected] ~]# rm -rf /var/lib/sss/db/*
[[email protected] ~]# systemctl restart sssd.service

That’s all from this article.

Facebook Comments

Show More

Leave a Reply

Your email address will not be published. Required fields are marked *

Back to top button