ipa user-find --all --raw = Print all FreeIPA users with their raw attribute names.
- Problem: FreeIPA server attempted to install and failed, and you can't run the install command again
- Solution: Run
ipa-server-install --uninstall
- Solution: Run
- Problem: FreeIPA installation logs for Tomcat show an error like this:
SEVERE [https-jsse-nio-8443-exec-1] org.apache.catalina.core.StandardWrapperValve.invoke Servlet.service() for servlet [jsp] in context with path [] threw exception [org.apache.jasper. JasperException: Unable to compile class for JSP] with root cause Unable to find a javac compiler; com.sun.tools.javac.Main is not on the classpath. Perhaps JAVA_HOME does not point to the JDK. It is currently set to "/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.412.b08-2.0.1.el8.x86_64/jre"- Solution: Install
java-1.8.0-opendk-devel
- Solution: Install
- OEL8 FreeIPA server guide
- RHEL FreeIPA server guide
- A subdomain for the FreeIPA server is recommended. e.g. if your domain is
example.comand your server isfreeipa, then create a subdomainipa.example.comso the FQDN of the FreeIPA server isfreeipa.ipa.example.com - Allow FreeIPA clients to reach the FreeIPA server on these ports:
HTTP/HTTPS 80,443 TCP LDAP/LDAPS 389,636 TCP Kerberos 88,464 TCP & UDP NTP 123 UDP DNS 53 TCP & UDP - Set a static hostname
hostnamectl set-hostname freeipa.ipa.example.com
- Edit /etc/hosts
10.128.1.1 freeipa.ipa.example.com freeipa 127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4 ::1 localhost6 localhost6.localdomain6 - Create a DNS A record for the static hostname you set in /etc/hostname. Set the A record to resolve to the IPA server's private IP
resolvectl query --cache=false freeipa.ipa.example.com dig freeipa.ipa.example.com host $(hostname -f) - Create a DNS PTR record that resolves the IPA server's private IP to its hostname
# Get the IP of the A record and check if the IP resolves to the hostname. resolvectl query --cache=false "$(resolvectl query --cache=false freeipa.ipa.example.com | awk '{print $2}' | head -1)" dig -x <PUT IP HERE> host $(hostname -i)
- Enable the repo
sudo dnf module enable idm:DL1 - Install packages
sudo dnf install -y ipa-server ipa-server-dns java-1.8.0-openjdk-devel
- Setup FreeIPA as a server
sudo ipa-server-install -v sudo ipa-dns-install --allow-zone-overlap
- Confirm server is listening on ports
nmap localhost netstat -plant | grep "LISTEN" | grep -E "80|53|443|389|636|88|464|123"
- RHEL FreeIPA client guide
- Set a static hostname
hostnamectl set-hostname ipaclient.ipa.example.com
- Edit /etc/hosts
10.128.1.1 ipaclient.ipa.example.com ipaclient 127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4 ::1 localhost6 localhost6.localdomain6 - Enable the repo
sudo dnf module enable idm:client - Install package (and troubleshooting tools)
sudo dnf install -y ipa-client nmap
- Confirm client can resolve server
dig freeipa.ipa.example.com
- Confirm client can reach server on required ports
sudo nmap freeipa.ipa.example.com
- Setup FreeIPA as a client
sudo ipa-client-install -v
- Test logging in as a domain user
id admin@IPA.EXAMPLE.COM su admin@IPA.EXAMPLE.COM
NOTE: For Windows clients, the FreeIPA server MUST be configured to provide DNS and the Windows client must use the FreeIPA server as its primary DNS server. Otherwise the Windows client won't know which server to use to authenticate domain accounts.
- ON FREEIPA SERVER (Web GUI):
- Add Windows host:
Identity->Hosts->Add
- Add Windows host:
- ON FREEIPA SERVER (Shell)
- Login as Admin
# Login kinit admin # Check for valid ticket klist
- Create keytab for the Windows host
# Show permitted encryption types. This will be used for the -e option. ipa-getkeytab --permitted-enctypes # Assumes the hostname of the windows host is windowsclient.ipa.example.com # Assumes the hostname of the FreeIPA server is freeipa.ipa.example.com # Creates the krb5.keytab.windowsclient.example.com file at ./ # The Principal password used here is used by the Windows client in a later step ipa-getkeytab -s freeipa.ipa.example.com -p host/windowsclient.ipa.example.com -e aes256-cts -k krb5.keytab.windowsclient.ipa.example.com -P
- Login as Admin
- ON WINDOWS CLIENT:
- Confirm client can resolve server
nslookup freeipa.ipa.example.com - Confirm client can reach server on required ports
Test-NetConnection freeipa.ipa.example.com -port 88 Test-NetConnection freeipa.ipa.example.com -port 389 Test-NetConnection freeipa.ipa.example.com -port 464 Test-NetConnection freeipa.ipa.example.com -port 636
- Configure client
ksetup /setdomain EXAMPLE.COM ksetup /addkdc EXAMPLE.COM freeipa.ipa.example.com ksetup /addkpasswd EXAMPLE.COM freeipa.ipa.example.com :: Use the Principal password that you set during the ipa-getkeytab command earlier ksetup /setcomputerpassword MySuperSecretPassword! ksetup /mapuser * *
- Reboot client
- Add local users on the client corresponding to the users in FreeIPA who you wish to have access. Don't include the
@IPA.EXAMPLE.COMpart (the realm name) when adding the local user.- Run
lusrmgr.mscto add local users. - Don't create a password for the local user since you'll be using FreeIPA to authenticate.
- Run
- Under
Groups->Remote Desktop Users, add the user you created to the group to permit RDP login. - Disable Network Level Authentication
- Run
sysdm.cpl->Remote-> disableAllow connections only from computers running Remote Desktop with Network Level Authentication(See here for for more info)
- Run
- Test logging in as the new user over RDP.
- Run
mstscon a different PC - Login with the domain account:
user@IPA.EXAMPLE.COM
- Run
- Confirm client can resolve server
- NFS in IdM
- ON NFS/FREEIPA SERVER (in this example the NFS server and the FreeIPA server are on the same host)
- Cloud: configure ports
- Ensure the NACL for the subnet the FreeIPA server is on allows the following traffic outbound.
NFS 2049 TCP & UDP RPC 111 TCP & UDP - Ensure the Security Group for the FreeIPA server allows all TCP traffic outbound.
- Ensure the NACL for the subnet the FreeIPA server is on allows the following traffic outbound.
- Obtain a Kerberos ticket as admin
kinit admin
- Create an NFS service principal
ipa service-add nfs/ipa.example.com
- Store the service principal in the Kerberos keytab file
ipa-getkeytab -s ipa.example.com -p nfs/ipa.example.com -k /etc/krb5.keytab
- View the principals
klist -k /etc/krb5.keytab
- Create home directories for users
mkdir -p /nfs/ipahome/admin mkdir -p /nfs/ipahome/myuser chown root:root /nfs/ chown root:root /nfs/ipahome/ chown admin@EXAMPLE.COM:admins /nfs/ipahome/admin/ chown myuser@EXAMPLE.COM:developers /nfs/ipahome/myuser/
- Update
/etc/exports(assumes exporting/nfs/ipahomeon the server to clients at10.128.0.0/16)/nfs/ipahome 10.128.0.0/16(rw,sec=krb5p) - Reload the exports
exportfs -rav
- Enable and start NFS server
dnf install nfs-utils -y systemctl enable --now nfs-server systemctl status nfs-server - Check if rpcbind and NFS are listening on the server. Also check mounts
nmap localhost showmount -e localhost
- Create the automount location (assumes the automount location is called
homedirs)ipa automountlocation-add homedirs
- Create the automount map for the automount location (assumes the automount map is called
auto.ipahome)ipa automountmap-add homedirs auto.ipahome
- Update the
auto.ipahomemap with mount informationipa automountkey-add homedirs auto.ipahome --key='*' --info='-sec=krb5p,vers=4 ipa.example.com:/nfs/ipahome/&'
- Update the
auto.mastermap with theauto.ipahomemap.ipa automountkey-add homedirs auto.master --key=/ipahome --info=auto.ipahome
- Cloud: configure ports
- ON FREEIPA SERVER WEB GUI
- Update the home directory paths of users (assumes users are
adminandmyuser)Identity -> Users -> Active users -> select user -> Home directory -> change to /ipahome/admin or /ipahome/myuser
- Update the home directory paths of users (assumes users are
- ON FREEIPA CLIENT
- Cloud: configure ports
- Ensure the NACL for the subnet the FreeIPA client is on allows all TCP traffic from the subnet the FreeIPA server is on.
- Ensure the Security Group for the FreeIPA client allows all TCP traffic from the FreeIPA server.
- Install AutoFS
dnf install autofs -y
- Mount the configured location
ipa-client-automount --location homedirs systemctl stop autofs ; sss_cache -E ; systemctl start autofs
- Check mounts
mount | grep autofs - Test logging in as users
su admin@EXAMPLE.COM cd echo "test content" > myfile.txt ls -al su myuser@EXAMPLE.COM
- Cloud: configure ports
- Problem: NFS client gets a permission denied error when attempting to mount NFS share from server using krb5p authentication.
- Solution: Ensure the NFS service principal is in the Kerberos keytab. Run
klist -ketand look for the NFS service. If it's not there, add it withipa-getkeytab -s ipa.example.com -p nfs/ipa.example.com -k /etc/krb5.keytab
- Solution: Ensure the NFS service principal is in the Kerberos keytab. Run
- ON CLIENT WORKSTATION
- Install PuTTy-CAC
- Add CAC cert (this part may not be necessary):
- Launch the
pageantbinary PuTTy-CAC tool (it immediately goes to the Windows taskbar) - Right-click
pageanttaskbar icon ->Add CAPI cert-> Select your CAC card - Right-click
pageanttaskbar icon ->View Keys & Certs-> Verify your CAC cert has been added
- Launch the
- Right click
pageanttaskbar icon ->New Session - In left seetings pane ->
Connection->SSH->Certificate->Set CAPI Cert...-> Select your CAC cert. Verify the cert has been added by checking that theSelected thumbprintfield has been populated. - In right pane ->
Authorized Keys file value-> clickCopy To Clipboard
- ON FREEIPA SERVER GUI
Identity->Users-> Select the user you wish to use with CAC login ->SSH public keys->Add-> Paste in theAuthorized Keys file valuefrom the PuTTy Configuration
- ON CLIENT WORKSTATION
- Attempt to start a PuTTy session now. You should be prompted for your CAC PIN and authenticate.