FreeIPA is a powerful open-source identity management system that provides centralized authentication, authorization, and accounting services. In this post, we will walk through the steps to configure FreeIPA client on Ubuntu 22.04 / 20.04. After configuring the freeipa client then we will try to login with the user created on FreeIPA server.
In our previous post, we had already discussed FreeIPA Server installation steps on RHEL8/Rokcy Linux 8/ AlmaLinux 8.
Also Read: How to Install FreeIPA Server on RHEL 8 | Rocky Linux 8 | AlmaLinux 8
Creating User on FreeIPA Server for Centralization Authentication
Login to your freeipa server and create a user with name “sysadm”, run the following commands
$ sudo kinit admin Password for [email protected]: $ $ sudo ipa config-mod --defaultshell=/bin/bash $ sudo ipa user-add sysadm --first=System --last=Admin --password Password: Enter Password again to verify: ------------------- Added user "sysadm" ------------------- User login: sysadm First name: System Last name: Admin Full name: System Admin Display name: System Admin Initials: SA Home directory: /home/sysadm GECOS: System Admin Login shell: /bin/bash Principal name: [email protected] Principal alias: [email protected] User password expiration: 20230415073041Z Email address: [email protected] UID: 464600003 GID: 464600003 Password: True Member of groups: ipausers Kerberos keys available: True $
First command is to get Kerberos credentials and second command to set default login shell for all users as “/bin/bash” and third command used for creating the user with name “sysadm”
Steps to configure FreeIPA Client on Ubuntu 22.04 /20.04
Perform the following steps to configure FreeIPA client for centralize authentication.
1) Add DNS record of Ubuntu System on FreeIPA Server
Login to your FreeIPA Server and run the beneath command to add dns record for FreeIPA client (i.e Ubuntu 22.04/20.04)
$ sudo ipa dnsrecord-add linuxtechi.lan app01.linuxtechi.lan --a-rec 192.168.1.106 Record name: app01.linuxtechi.lan A record: 192.168.1.106 $
In the above command app01.linuxtechi.lan is my Ubuntu system with IP address 192.168.1.106.
Note: Make sure your FreeIPA Server and Clients are on the same timezone and getting the time from NTP Servers.
2) Install FreeIPA client Package
Run the below command from your Ubuntu system to install freeipa-client along with the dependencies,
$ sudo apt install freeipa-client oddjob-mkhomedir -y
While installing freeipa-client, we will get following screen, Choose OK and hit enter
In the next screen, Hit enter to skip,
3) Add FreeIPA Server IP & hostname in hosts file
Add below entries of your FreeIPA Server in /etc/hosts file
$ echo "192.168.1.102 ipa.linuxtechi.lan ipa" | sudo tee -a /etc/hosts $ echo "192.168.1.106 app01.linuxtechi.lan app01" | sudo tee -a /etc/hosts
Change IP address and hostname that suits to your setup.
4) Configure FreeIPA client using ipa-client-install
Now run following “ipa-client-install” command to configure freeipa-client on your Ubuntu system,
$ sudo ipa-client-install --hostname=`hostname -f` --mkhomedir --server=ipa.linuxtechi.lan --domain linuxtechi.lan --realm LINUXTECHI.LAN
Change the FreeIPA Server address, domain name and realm that suits to your setup.
Output of above command would be something like below :
Perfect, output above confirms that ipa-client installation was successful.
Now allow user’s home directory to be created automatically when they first time authenticated with FreeIPA Server.
Append the following line in the file “/usr/share/pam-configs/mkhomedir”
required pam_mkhomedir.so umask=0022 skel=/etc/skel
$ echo "required pam_mkhomedir.so umask=0022 skel=/etc/skel" | sudo tee -a /usr/share/pam-configs/mkhomedir
To make above changes into affect, run following command
$ sudo pam-auth-update
Select OK and then hit enter.
5) Try to Login to your Ubuntu System with sysadm user
Try to ssh or login to your Ubuntu system using the sysadm user,
$ ssh [email protected]
As you can see above, when we first time to login, it says password expired. It will prompt us to set new password and will disconnect the session.
After updating the password, try to ssh ubuntu system and this time we should able to login.
$ ssh [email protected]
Output,
Great, output above confirms that we have successfully login to our Ubuntu system using a centralize user. This also shows that we have successfully configured FreeIPA client.
In case, you want to uninstall freeipa from your ubuntu system then run following set of commands,
$ sudo ipa-client-install --uninstall $ sudo rm -rf /var/lib/sss/db/* $ sudo systemctl restart sssd.service
That’s all from this post, I believe you have found it informative. Kindly do post your queries and feedback in below comments section.
Very nice article but is there a command not listed in the article right after “Apply the above changes using following command,”
Hi Bruce,
Thanks for notifying the missing command, now i have updated the article with correct suggested “pam-auth-update” command.
Excellent, thank you for a concise, quality guide.
I’m encountering an issue with the sudo command in an IPA AD-trust environment. Specifically while logging in with Active Directory (AD) credentials works, the sudo command fails on Ubuntu versions 22.04 and 24.04. This problem does not occur on other Ubuntu flavors, CentOS or Red Hat-based distributions.
$ sudo su
sudo: PAM account management error: Permission denied
sudo: a password is required