In our previous article we have already discussed about FreeIPA and its installation steps on CentOS 7 Server, in this article we will discuss how an Ubuntu 18.04 and CentOS 7 machine can be integrated to FreeIPA Server for centralize authentication.
I am assuming “sysadm” user is already created on FreeIPA Sever for Linux Systems for centralize authentication, if not then execute the below commands from FreeIPA server to create the user,
[[email protected] ~]# kinit admin Password for [email protected]: [[email protected] ~]# ipa config-mod --defaultshell=/bin/bash [[email protected] ~]# ipa user-add sysadm --first=System --last=Admin --password Password: Enter Password again to verify: ------------------- Added user "sysadm" ------------------- User login: sysadm First name: System Last name: Admin Full name: System Admin Display name: System Admin Initials: SA Home directory: /home/sysadm GECOS: System Admin Login shell: /bin/bash Principal name: [email protected] Principal alias: [email protected] User password expiration: 20181118194031Z Email address: [email protected] UID: 1285200003 GID: 1285200003 Password: True Member of groups: ipausers Kerberos keys available: True [[email protected] ~]#
First command is to get Kerberos credentials and second command to set default login shell for all users as “/bin/bash” and third command used for creating the user with name “sysadm”
Steps to configure FreeIPA Client on Ubuntu 18.04 system
Step:1) Add DNS record of Ubuntu 18.04 system on FreeIPA Server
Login to your FreeIPA Server( In my case it is installed on CentOS 7) and run the beneath command to add dns record for FreeIPA client (i.e Ubuntu 18.04 system)
[[email protected] ~]# ipa dnsrecord-add linuxtechi.lan app01.linuxtechi.lan --a-rec 192.168.1.106 Record name: app01.linuxtechi.lan A record: 192.168.1.106 [[email protected] ~]#
In the above command app01.linuxtechi.lan is my Ubuntu 18.04 system with IP address 192.168.1.106.
Note: Make sure your FreeIPA Server and Clients are on the same timezone and getting the time from NTP Servers.
Step:2) Install FreeIPA client Packages using apt-get command
Run the below command from your ubuntu system to install freeipa-client along with the dependencies,
[email protected]:~$ sudo apt-get install freeipa-client oddjob-mkhomedir -y
While installing the freeipa-client, we will below screen, Hit enter to Skip
Step:3) Update /etc/hosts file of FreeIPA client (Ubuntu 18.04)
Add below entries of your FreeIPA Server in /etc/hosts file
[email protected]:~$ echo "192.168.1.105 ipa.linuxtechi.lan ipa" | sudo tee -a /etc/hosts
Change IP address and hostname that suits to your setup.
Step:4) Configure FreeIPA client using command ‘ipa-client-install’
Now run “ipa-client-install” command to configure freeipa-client on your ubuntu 18.04 system,
[email protected]:~$ sudo ipa-client-install --hostname=`hostname -f` --mkhomedir --server=ipa.linuxtechi.lan --domain linuxtechi.lan --realm LINUXTECHI.LAN
Change the FreeIPA Server address, domain name and realm that suits to your setup.
Output of above command would be something like below :
Now allow user’s home direction to be created automatically when they first time authenticated with FreeIPA Server.
Append the following line in the file “/usr/share/pam-configs/mkhomedir”
required pam_mkhomedir.so umask=0022 skel=/etc/skel
[email protected]:~$ echo "required pam_mkhomedir.so umask=0022 skel=/etc/skel" | sudo tee -a /usr/share/pam-configs/mkhomedir
Apply the above changes using following command,
[email protected]:~$ sudo pam-auth-update
Select OK and then hit enter,
Now try to login or ssh to your Ubuntu 18.04 system with sysadm user.
Step:5) Try to Login to your Ubuntu 18.04 System with sysadm user
Now ssh to your ubuntu 18.04 system using the sysadm user,
# ssh [email protected] [email protected]'s password: X11 forwarding request failed on channel 0 Password expired. Change your password now. Creating directory '/home/sysadm'. Welcome to Ubuntu 18.04 LTS (GNU/Linux 4.15.0-20-generic x86_64) * Documentation: https://help.ubuntu.com * Management: https://landscape.canonical.com * Support: https://ubuntu.com/advantage * Canonical Livepatch is available for installation. - Reduce system reboots and improve kernel security. Activate at: https://ubuntu.com/livepatch 418 packages can be updated. 166 updates are security updates. WARNING: Your password has expired. You must change your password now and login again! Current Password: New password: Retype new password: passwd: password updated successfully Connection to 192.168.1.106 closed.
As we can see, at the first time authentication, it will prompt us to set the new password as the password is expired and will disconnect that session.
Now try to ssh ubuntu system and this time we should able to connect,
# ssh [email protected] Welcome to Ubuntu 18.04 LTS (GNU/Linux 4.15.0-20-generic x86_64) Last login: Sat Dec 8 21:37:44 2018 from 192.168.1.101 /usr/bin/xauth: timeout in locking authority file /home/sysadm/.Xauthority [email protected]:~$ [email protected]:~$ id uid=1285200003(sysadm) gid=1285200003(sysadm) groups=1285200003(sysadm) [email protected]:~$
This confirms that we have successfully configure FreeIPA Client on Ubuntu 18.04 system.
Steps to configure FreeIPA Client on CentOS 7 System
Step:1) Add DNS record of CentOS 7 on FreeIPA Server
Run the following command from FreeIPA server,
[[email protected] ~]# ipa dnsrecord-add linuxtechi.lan db01.linuxtechi.lan --a-rec 192.168.1.103 Record name: db01.linuxtechi.lan A record: 192.168.1.103 [[email protected] ~]#
Step:2) Add the FreeIPA Server details in /etc/hosts
Login to your centos 7 system and add the following in /etc/hosts file
[[email protected] ~]# echo "192.168.1.105 ipa.linuxtechi.lan ipa" >> /etc/hosts [[email protected] ~]# echo "192.168.0.103 db01.linuxtechi.lan" >> /etc/hosts
Step:3 Install and Configure FreeIPA Client
Use the below command to install FreeIPA client on CentOS 7 system,
[[email protected] ~]# yum install freeipa-client -y
Now configure FreeIPA client using “ipa-client-install” command,
[[email protected] ~]# ipa-client-install --hostname=`hostname -f` --mkhomedir --server=ipa.linuxtechi.lan --domain linuxtechi.lan --realm LINUXTECHI.LAN
Use the same details and credentials that we have used while the same command in Ubuntu 18.04 system
If the above command is executed successfully then we should the output something like below,
……………………………………………… [try 1]: Forwarding 'host_mod' to json server 'https://ipa.linuxtechi.lan/ipa/session/json' Could not update DNS SSHFP records. SSSD enabled Configured /etc/openldap/ldap.conf Configured /etc/ssh/ssh_config Configured /etc/ssh/sshd_config Configuring linuxtechi.lan as NIS domain. Client configuration complete. The ipa-client-install command was successful [[email protected] ~]#
Run the below command so that User’s home directory is created automatically at the first login,
[[email protected] ~]# authconfig --enablemkhomedir --update [[email protected] ~]#
Now you should able to login to CentOS 7 system with sysadm user.
Steps to uninstall FreeIPA Client from Ubuntu 18.04 / CentOS 7
[[email protected] ~]# ipa-client-install --uninstall [[email protected] ~]# rm -rf /var/lib/sss/db/* [[email protected] ~]# systemctl restart sssd.service
That’s all from this article.