In our previous article we have already discussed about FreeIPA and its installation steps on CentOS 7 Server, in this article we will discuss how an Ubuntu 18.04 and CentOS 7 machine can be integrated to FreeIPA Server for centralize authentication.
Read More: How to Install and Configure FreeIPA on CentOS 7 Server
I am assuming “sysadm” user is already created on FreeIPA Sever for Linux Systems for centralize authentication, if not then execute the below commands from FreeIPA server to create the user,
[root@ipa ~]# kinit admin Password for admin@LINUXTECHI.LAN: [root@ipa ~]# ipa config-mod --defaultshell=/bin/bash [root@ipa ~]# ipa user-add sysadm --first=System --last=Admin --password Password: Enter Password again to verify: ------------------- Added user "sysadm" ------------------- User login: sysadm First name: System Last name: Admin Full name: System Admin Display name: System Admin Initials: SA Home directory: /home/sysadm GECOS: System Admin Login shell: /bin/bash Principal name: sysadm@LINUXTECHI.LAN Principal alias: sysadm@LINUXTECHI.LAN User password expiration: 20181118194031Z Email address: sysadm@linuxtechi.lan UID: 1285200003 GID: 1285200003 Password: True Member of groups: ipausers Kerberos keys available: True [root@ipa ~]#
First command is to get Kerberos credentials and second command to set default login shell for all users as “/bin/bash” and third command used for creating the user with name “sysadm”
Steps to configure FreeIPA Client on Ubuntu 18.04 system
Step:1) Add DNS record of Ubuntu 18.04 system on FreeIPA Server
Login to your FreeIPA Server( In my case it is installed on CentOS 7) and run the beneath command to add dns record for FreeIPA client (i.e Ubuntu 18.04 system)
[root@ipa ~]# ipa dnsrecord-add linuxtechi.lan app01.linuxtechi.lan --a-rec 192.168.1.106 Record name: app01.linuxtechi.lan A record: 192.168.1.106 [root@ipa ~]#
In the above command app01.linuxtechi.lan is my Ubuntu 18.04 system with IP address 192.168.1.106.
Note: Make sure your FreeIPA Server and Clients are on the same timezone and getting the time from NTP Servers.
Step:2) Install FreeIPA client Packages using apt-get command
Run the below command from your ubuntu system to install freeipa-client along with the dependencies,
pkumar@app01:~$ sudo apt-get install freeipa-client oddjob-mkhomedir -y
While installing the freeipa-client, we will below screen, Hit enter to Skip
Step:3) Update /etc/hosts file of FreeIPA client (Ubuntu 18.04)
Add below entries of your FreeIPA Server in /etc/hosts file
pkumar@app01:~$ echo "192.168.1.105 ipa.linuxtechi.lan ipa" | sudo tee -a /etc/hosts
Change IP address and hostname that suits to your setup.
Step:4) Configure FreeIPA client using command ‘ipa-client-install’
Now run “ipa-client-install” command to configure freeipa-client on your ubuntu 18.04 system,
pkumar@app01:~$ sudo ipa-client-install --hostname=`hostname -f` --mkhomedir --server=ipa.linuxtechi.lan --domain linuxtechi.lan --realm LINUXTECHI.LAN
Change the FreeIPA Server address, domain name and realm that suits to your setup.
Output of above command would be something like below :
Now allow user’s home direction to be created automatically when they first time authenticated with FreeIPA Server.
Append the following line in the file “/usr/share/pam-configs/mkhomedir”
required pam_mkhomedir.so umask=0022 skel=/etc/skel
pkumar@app01:~$ echo "required pam_mkhomedir.so umask=0022 skel=/etc/skel" | sudo tee -a /usr/share/pam-configs/mkhomedir
Apply the above changes using following command,
pkumar@app01:~$ sudo pam-auth-update
Select OK and then hit enter,
Now try to login or ssh to your Ubuntu 18.04 system with sysadm user.
Step:5) Try to Login to your Ubuntu 18.04 System with sysadm user
Now ssh to your ubuntu 18.04 system using the sysadm user,
# ssh sysadm@192.168.1.106 sysadm@192.168.1.106's password: X11 forwarding request failed on channel 0 Password expired. Change your password now. Creating directory '/home/sysadm'. Welcome to Ubuntu 18.04 LTS (GNU/Linux 4.15.0-20-generic x86_64) * Documentation: https://help.ubuntu.com * Management: https://landscape.canonical.com * Support: https://ubuntu.com/advantage * Canonical Livepatch is available for installation. - Reduce system reboots and improve kernel security. Activate at: https://ubuntu.com/livepatch 418 packages can be updated. 166 updates are security updates. WARNING: Your password has expired. You must change your password now and login again! Current Password: New password: Retype new password: passwd: password updated successfully Connection to 192.168.1.106 closed.
As we can see, at the first time authentication, it will prompt us to set the new password as the password is expired and will disconnect that session.
Now try to ssh ubuntu system and this time we should able to connect,
# ssh sysadm@192.168.1.106 Welcome to Ubuntu 18.04 LTS (GNU/Linux 4.15.0-20-generic x86_64) Last login: Sat Dec 8 21:37:44 2018 from 192.168.1.101 /usr/bin/xauth: timeout in locking authority file /home/sysadm/.Xauthority sysadm@app01:~$ sysadm@app01:~$ id uid=1285200003(sysadm) gid=1285200003(sysadm) groups=1285200003(sysadm) sysadm@app01:~$
This confirms that we have successfully configure FreeIPA Client on Ubuntu 18.04 system.
Steps to configure FreeIPA Client on CentOS 7 System
Step:1) Add DNS record of CentOS 7 on FreeIPA Server
Run the following command from FreeIPA server,
[root@ipa ~]# ipa dnsrecord-add linuxtechi.lan db01.linuxtechi.lan --a-rec 192.168.1.103 Record name: db01.linuxtechi.lan A record: 192.168.1.103 [root@ipa ~]#
Step:2) Add the FreeIPA Server details in /etc/hosts
Login to your centos 7 system and add the following in /etc/hosts file
[root@db01 ~]# echo "192.168.1.105 ipa.linuxtechi.lan ipa" >> /etc/hosts [root@db01 ~]# echo "192.168.0.103 db01.linuxtechi.lan" >> /etc/hosts
Step:3 Install and Configure FreeIPA Client
Use the below command to install FreeIPA client on CentOS 7 system,
[root@db01 ~]# yum install freeipa-client -y
Now configure FreeIPA client using “ipa-client-install” command,
[root@db01 ~]# ipa-client-install --hostname=`hostname -f` --mkhomedir --server=ipa.linuxtechi.lan --domain linuxtechi.lan --realm LINUXTECHI.LAN
Use the same details and credentials that we have used while the same command in Ubuntu 18.04 system
If the above command is executed successfully then we should the output something like below,
……………………………………………… [try 1]: Forwarding 'host_mod' to json server 'https://ipa.linuxtechi.lan/ipa/session/json' Could not update DNS SSHFP records. SSSD enabled Configured /etc/openldap/ldap.conf Configured /etc/ssh/ssh_config Configured /etc/ssh/sshd_config Configuring linuxtechi.lan as NIS domain. Client configuration complete. The ipa-client-install command was successful [root@db01 ~]#
Run the below command so that User’s home directory is created automatically at the first login,
[root@db01 ~]# authconfig --enablemkhomedir --update [root@db01 ~]#
Now you should able to login to CentOS 7 system with sysadm user.
Steps to uninstall FreeIPA Client from Ubuntu 18.04 / CentOS 7
[root@db01 ~]# ipa-client-install --uninstall [root@db01 ~]# rm -rf /var/lib/sss/db/* [root@db01 ~]# systemctl restart sssd.service
That’s all from this article, please do share your feedback and comments.