To be able to configure a FreeIPA client, you need to set up a FreeIPA server first.
In this tutorial, we assume that the FreeIPA server is called ipaserver.example.com and the FreeIPA client named ipaclient.example.com. If no DNS server working (not advisable), update the /etc/hosts file of the two machines accordingly.
Install the FreeIPA client packages:
# yum install -y ipa-client ipa-admintools
Execute the client installation script:
# ipa-client-install --force-ntpd DNS discovery failed to determine your DNS domain Provide the domain name of your IPA server (ex: example.com): example.com Provide your IPA server name (ex: ipa.example.com): ipaserver.example.com The failure to use DNS to find your IPA server indicates that your resolv.conf file is not properly configured. Autodiscovery of servers for failover cannot work with this configuration. If you proceed with the installation, services will be configured to always access the discovered server for all operations and will not fail over to other servers in case of failure. Proceed with fixed values and no DNS discovery? [no]: yes Hostname: ipaclient.example.com Realm: EXAMPLE.COM DNS Domain: example.com IPA Server: ipaserver.example.com BaseDN: dc=example,dc=com Continue to configure the system with these values? [no]: yes User authorized to enroll computers: admin Synchronizing time with KDC... Password for admin@EXAMPLE.COM:adminipaSuccessfully retrieved CA cert Subject: CN=Certificate Authority,O=EXAMPLE.COM Issuer: CN=Certificate Authority,O=EXAMPLE.COM Valid From: Tue Sep 09 14:37:07 2014 UTC Valid Until: Sat Sep 09 14:37:07 2034 UTC Enrolled in IPA realm EXAMPLE.COM Created /etc/ipa/default.conf New SSSD config will be created Configured /etc/sssd/sssd.conf Configured /etc/krb5.conf for IPA realm EXAMPLE.COM trying https://ipaserver.example.com/ipa/xml Forwarding 'ping' to server 'https://ipaserver.example.com/ipa/xml' Forwarding 'env' to server 'https://ipaserver.example.com/ipa/xml' Adding SSH public key from /etc/ssh/ssh_host_ecdsa_key.pub Adding SSH public key from /etc/ssh/ssh_host_rsa_key.pub Forwarding 'host_mod' to server 'https://ipaserver.example.com/ipa/xml' Could not update DNS SSHFP records. SSSD enabled Configured /etc/openldap/ldap.conf NTP enabled Configured /etc/ssh/ssh_config Configured /etc/ssh/sshd_config Client configuration complete.
Note: You can safely ignore the messages in italic: to avoid these messages, additional configuration on the DNS server is required.
Check the configuration:
# getent passwd admin admin:*:1118400000:1118400000:Administrator:/home/admin:/bin/bash # getent group admins admins:*:1118400000:admin
Source: RHEL 7 Linux Domain Identity Authentication and Policy Guide.
Hi
There is a bug with the FreeIPA. If the following is not set then Configuring certificate server (pki-tomcatd) fails, or causes issues.
The host name must also be set in
/etc/hostname
ipaserver.example.com
Enjoy
Thank you, that is exactly what solved my problem.
Gjorgi
Your welcome.
Just note, I ended up using each component separately.
ie bind, dnsmask(virtual server) etc. for my setup.
Would installing openldap-clients and nss-pam-ldapd do the same thing?
I don’t think so but I’m not an expert on this point. FreeIPA is more than a simple LDAP server.