Home » FreeIPA on Ubuntu 20.04

Centralized Authentication with FreeIPA on Ubuntu 20.04 LTS

FreeIPA is an integrated Identity and Authentication solution for Linux/UNIX environments that provides centralized authentication, authorization, and account information. This tutorial will guide you through setting up FreeIPA on Ubuntu 20.04 LTS.

Prerequisites

  • Ubuntu 20.04 LTS server
  • Minimum 4GB RAM (8GB recommended for production)
  • 20GB+ of disk space
  • Root or sudo privileges
  • Static IP address configured
  • Fully Qualified Domain Name (FQDN) for the server
  • DNS server properly configured with forward and reverse records

1 System Preparation

Update your system and set the hostname:

sudo apt update && sudo apt upgrade -y
sudo hostnamectl set-hostname ipa.example.com
exec bash

Edit the hosts file to include the FQDN:

sudo nano /etc/hosts

Add an entry for your server (replace with your actual IP and domain):

192.168.1.100 ipa.example.com ipa

Verify the hostname and FQDN:

hostname
hostname -f

2 Configure DNS

FreeIPA requires properly configured DNS. You can use the integrated DNS or an external DNS server.

If using an external DNS server, ensure these records exist:

ipa.example.com.    IN A    192.168.1.100
_ldap._tcp.example.com. IN SRV 0 100 389 ipa.example.com.
_kerberos._tcp.example.com. IN SRV 0 100 88 ipa.example.com.
_kerberos._udp.example.com. IN SRV 0 100 88 ipa.example.com.
_kpasswd._tcp.example.com. IN SRV 0 100 464 ipa.example.com.
_kpasswd._udp.example.com. IN SRV 0 100 464 ipa.example.com.

Verify DNS resolution:

dig ipa.example.com
dig -t SRV _ldap._tcp.example.com

3 Install FreeIPA Server

Install the FreeIPA server packages:

sudo apt install -y freeipa-server freeipa-server-dns

Run the FreeIPA installation wizard:

sudo ipa-server-install

The installer will prompt for several configuration options. Here's a typical setup:

Do you want to configure integrated DNS (BIND)? [no]: yes
Server host name [ipa.example.com]: 
Please confirm the domain name [example.com]: 
Please provide a realm name [EXAMPLE.COM]: 
Directory Manager password: 
Password (confirm): 
IPA admin password: 
Password (confirm): 
Do you want to configure DNS forwarders? [yes]: 
Do you want to configure these servers as DNS forwarders? [yes]: 
Enter DNS forwarder IP address: 8.8.8.8
Do you want to search for missing reverse zones? [yes]: 
Continue to configure the system with these values? [no]: yes
Note: The installation process may take 10-20 minutes to complete.

4 Configure Firewall

Allow necessary ports through the firewall:

sudo ufw allow 80/tcp    # HTTP
sudo ufw allow 443/tcp   # HTTPS
sudo ufw allow 389/tcp   # LDAP
sudo ufw allow 636/tcp   # LDAPS
sudo ufw allow 88/tcp    # Kerberos
sudo ufw allow 464/tcp   # kpasswd
sudo ufw allow 53/tcp    # DNS
sudo ufw allow 53/udp    # DNS
sudo ufw allow 123/udp   # NTP
sudo ufw enable

Verify the firewall status:

sudo ufw status

5 Verify Installation

Check if FreeIPA services are running:

sudo ipactl status

Test Kerberos authentication:

kinit admin
klist

Test LDAP connectivity:

ldapsearch -x -b dc=example,dc=com -H ldap://ipa.example.com

6 Access Web Interface

Open your web browser and navigate to:

https://ipa.example.com

Log in with the username admin and the password you set during installation.

You should see the FreeIPA web interface dashboard.

7 Configure FreeIPA Client on Ubuntu

On client machines, install the FreeIPA client packages:

sudo apt install -y freeipa-client

Join the client to the FreeIPA domain:

sudo ipa-client-install --domain=example.com --server=ipa.example.com --mkhomedir

Alternatively, use the interactive setup:

sudo ipa-client-install

You'll be prompted for:

Domain name: example.com
IPA server: ipa.example.com
Directory Manager password: 
Continue to configure the system with these values? [no]: yes
User authorized to enroll computers: admin
Password for admin@EXAMPLE.COM:

8 Create Users and Groups

Using the FreeIPA web interface:

  1. Go to "Identity" → "Users"
  2. Click "Add" to create a new user
  3. Fill in the user details (first name, last name, username)
  4. Set a temporary password or check "Random" to generate one
  5. Click "Add" to create the user

Using the command line:

ipa user-add johndoe --first=John --last=Doe --email=johndoe@example.com --password
ipa group-add developers --desc="Development Team"
ipa group-add-member developers --users=johndoe

9 Configure Automatic Home Directory Creation

Ensure PAM is configured to create home directories on login:

sudo pam-auth-update --enable mkhomedir
sudo systemctl restart sssd

Alternatively, edit the PAM configuration manually:

sudo nano /etc/pam.d/common-session

Add this line to the file:

session required pam_mkhomedir.so skel=/etc/skel umask=0022

10 Test Authentication

Test user authentication from a client machine:

ssh johndoe@client.example.com

Test Kerberos ticket acquisition:

kinit johndoe
klist

Verify user information:

id johndoe
getent passwd johndoe
getent group developers

11 Configure SSH for Kerberos Authentication

Edit the SSH server configuration on clients:

sudo nano /etc/ssh/sshd_config

Ensure these options are set:

GSSAPIAuthentication yes
GSSAPICleanupCredentials yes
UsePAM yes

Restart the SSH service:

sudo systemctl restart sshd

12 Troubleshooting Common Issues

Check FreeIPA service status:

sudo ipactl status
journalctl -u dirsrv@EXAMPLE-COM.service -f

Check SSSD authentication issues:

sudo systemctl status sssd
journalctl -u sssd -f
sssctl user-checks johndoe
sssctl domain-status example.com

Check Kerberos issues:

kinit -V johndoe
klist -e
ipa krbtpolicy-show

Common issues and solutions:

Issue Solution
Cannot acquire Kerberos ticket Check time synchronization (NTP) and DNS resolution
User not found Check SSSD configuration and domain status
Home directory not created Verify PAM mkhomedir configuration
SSH authentication fails Check GSSAPI settings in sshd_config
Previous: Bacula Backup Next: Samba File Server
Command copied to clipboard!