In this brief guide, I’ll walk you through setting up a FreeIPA network under the Red Hat family of operating systems.

What is FreeIPA?

FreeIPA is Red Hat’s answer to Microsoft’s Active Directory service. It uses a combination of LDAP and Kerberos to provide a centralised system of identity and system configuration management.

FreeIPA can provide user authentication and authorization for system login and access to network services such as NFS and can manage configuration of system services including DNS, automount and sudo.

This guide will walk through setting up a basic FreeIPA network with server and client with all of the aforementioned services. In this case, the server will be running under CentOS 7.4 and the client will be running under Fedora 27, however the process will be much the same for other versions of CentOS, Fedora, and Red Hat Enterprise Linux.

For more detailed instructions on configuring and managing FreeIPA, check out the Linux Domain Identity, Authentication, and Policy Guide from Red Hat.

Configuring the Server

See Installing and Uninstalling an Identity Management Server from the IPA Guide.

FreeIPA generally uses hostnames and domain names to identify hosts that it manages. This gives the benefit of allowing for host with dynamically allocated IP addresses. DNS is required to ensure that a hostname can always be used to resolve the same host.

FreeIPA also uses DNS to discover the server and domain name to use when joining from a network managed by the service.

The FreeIPA server will require that its Fully Qualified Domain Name will actually resolve to its own hostname.

You should make sure that the domain you are using a domain name that you actually own and control for your network.

Namecheap is one service that can provide cheap domain names.

IP Address Configuration

You will need to make sure that your server’s IP address is statically configured. You can use the nmcli tool to configure your network settings.

To list your network connections:

ipa-server$ nmcli connection

To set the IP address of a connection (making sure to set the netmask with the address correctly):

ipa-server$ nmcli connection modify connection ipv4.address ip-address/netmask

Hostname Configuration

The name of the host itself should be changed to the desired FQDN of the host.

ipa-server$ hostnamectl set-hostname hostname.network-domain

Also, the /etc/hosts file needs to be updated to also include the FQDN of the server. The first line in the /etc/hosts file should map the public IP address that was configured to the FQDN of the host, followed by the single hostname.

# /etc/hosts

ip-address hostname.network-domain hostname
...

Configuring FreeIPA

Download and configure the server software as follows:

ipa-server$ yum install -y freeipa-server
ipa-server$ ipa-server-install

At the time of writing, there are some issues with SELinux denying FreeIPA from managing the BIND nameserver. It is recommended to configure and manage BIND manually.

An addition to the SELinux issue, FreeIPA does not appear to correctly populate the BIND zones.

This does mean that either DHCPd will be required to manage DDNS or that static DNS will need to be used.

Once the server has been installed, you will need to configure the firewall to allow traffic to the network sources.

ipa-server$ firewall-cmd --permanent \
    --add-service kerberos \
    --add-service ntp \
    --add-service http \
    --add-service https \
    --add-service ldap \
    --add-service ldaps \
    --add-service kpasswd
ipa-server$ firewall-cmd --reload

NSSwitch for Sudoers

To ensure that the system services correctly pick up their configuration from FreeIPA, you should modify the /etc/nsswitch.conf file to add the following line:

# /etc/nsswitch

...
sudoers: files sss
...

The sss option may need to be added to other sections of the /etc/nsswitch.conf file.

Reboot

After a reboot for good measure, you should now have a functioning FreeIPA server.

FreeIPA can be easily uninstalled with the following command:

ipa-server$ ipa-server-install --uninstall

Configuring a Client

See Installing and Uninstalling Identity Management Clients from the IPA Guide.

Hostname Configuration

Much like the server, the name of the host itself should be changed to the desired FQDN of the host.

client$ hostnamectl set-hostname hostname.network-domain

Configuring FreeIPA

First, you’ll need to download the software packages and run the configuration tool on the client:

client$ dnf install freeipa-client
client$ ipa-client-install \
    --hostname hostname.network-domain \
    --domain network-domain \
    --server server-hostname.network-domainM

Unless you have set up another administrator, you will need to use the admin user configured when you set up the server to join the FreeIPA system.

NSSwitch for Sudoers

To ensure that the system services correctly pick up their configuration from FreeIPA, you should modify the /etc/nsswitch.conf file to add the following line:

# /etc/nsswitch

...
sudoers: files sss
...

The sss option may need to be added to other sections of the /etc/nsswitch.conf file.

Reboot

After a reboot for good measure, you should now have a functioning FreeIPA client.

FreeIPA can be easily uninstalled with the following command:

client$ ipa-client-install --uninstall

Configuring the NFS Server

See Setting up a Kerberos-aware NFS Server from the IPA Guide.

First, a ticket must first be obtained.

nfs-server$ kinit admin

A service principal must then be added for the server that is providing the NFS service.

nfs-server$ ipa service-add nfs/nfs-server-hostname.network-domain

The service principal must then be added to the server’s keytab.

nfs-server$ ipa-getkeytab \
    -s ipa-server.network-domain \
    -p nfs/nfs-server-hostname.network-domain \
    -k /etc/krb5.keytab

The exports can then be added to the /etc/exports file. Exports should include one of the following options:

  • sec=krb5; which only uses kerberos for authentication,
  • sec=krb5i; which uses kerberos for authentication and uses an integrity hash when communicating,
  • sec=krb5p; which requires an encrypted connection as well as using kerberos for authentication, or
  • sec=krb5:krb5i:krb5p; to allow for any of the above mechanisms.
# Example /etc/exports

/home 192.168.0.0/16(rw,sec=krb5p) 10.0.0.0/8(rw,sec=krb5p)
/export *(rw,sec=krb5)

Make sure to restart the NFS service once the exports have been changed.

nfs-server$ systemctl restart nfs-server

And then allow the relevant services through the firewall.

nfs-server$ firewall-cmd --permanent \
    --add-service nfs \
    --add-service rpc-bind \
    --add-service mountd

Configuring Automount Rules

FreeIPA manages automount by locations. Each location is a set of automount rules. When a automount client is configured, it is added to one of the automount locations.

See Configuring Locations from the IPA Guide.

Once a location has been configured (default exists when the server is configured and is used by default when a client is configured for automount), maps will need to be configured. A map is an association of a mount point and a set of keys.

Each location will have the auto.master map, which maps individual maps to their respective mountpoints, and the auto.direct map, which is used for managing automounts that mount directly to the root of the client.

Keys within a map map actual devices to directories within the mount point of the map.

See Configuring Maps from the IPA Guide.

Network Home

An example use of automount would be to configure network home directories. We’ll assume that all clients in the default location will be using network home directories. The home directories of all users are stored in the /home directory on the nfs-server.

In the default location we’ll add an indirect map called auto.home which will mount on the /home directory of all clients.

Setting up an indirect map will add the map to auto.master for us.

In the auto.home map, we’ll add the key * with the following value:

-rw,soft nfs-server.network-domain:/home/&

As the users’ home directory will be on a network share, new users will not be able to have home directories automatically created for them, so the will need to be created manually on the server. You may want to create a script for creating new users and generating their home directories.

Configuring an Automount NFS Client

See Configuring Automount from the IPA Guide.

For mobile devices, it is not recommended to use a network home directory. Instead, it is recommended that a home directory be made on each device the user logs into.

To enable this behaviour on a client, run the following command before restarting:

client$ authconfig --enablemkhomedir --update

For a client to use the automounts in a given location, it will need to be added to that automount location.

client$ ipa-client-automount --location location

If the --location argument is omitted, the default location will be used.

Once the client has been added to the location, the /etc/nsswitch.conf file will need to be edited to enable automount configuration to be loaded from sssd.

# /etc/nsswitch.conf

...
automount: files sss
...

Then the relevent services should be restarted.

client$ systemctl restart sssd autofs nfs-client.target

Using Your FreeIPA System

Now you should have a fully functioning FreeIPA system. For maintenance tasks, the web interface can be accessed via a web browser by navigating to you FreeIPA server.

For more information on managing FreeIPA, I’d recommend reading through the IPA Guide.