Product SiteDocumentation Site

3.3. Configuring a Fedora System as a FreeIPA Client

There are two elements to prepare before beginning the client setup process for the Fedora client:
To configure the client:
  1. Install the client packages. These packages provide a simple way to configure the system as a client; they also install and configure SSSD.
    For a regular user system, this requires only the ipa-client package:
    # yum install freeipa-client
    An administrator machine requires the freeipa-admintools package, as well:
    # yum install freeipa-client freeipa-admintools
  2. If the FreeIPA server is configured as the DNS server and is in the same domain as the client, add the server's IP address as the first entry in the client's /etc/resolv.conf file.

    TIP

    If every machine in the domain will be a FreeIPA client, then add the FreeIPA server address to the DHCP configuration.
  3. Run the client setup command.
    # ipa-client-install --enable-dns-updates
    The --enable-dns-updates option updates DNS with the client machine's IP address. This option should only be used if the FreeIPA server was installed with integrated DNS or if the DNS server on the network accepts DNS entry updates with the GSS-TSIG protocol.
    When using the --server option to specify the FreeIPA server to register with, the server name must be a fully-qualified domain name.

    IMPORTANT

    This must be a valid DNS name, which means only numbers, alphabetic characters, and hyphens (-) are allowed. Other characters, like underscores, in the hostname will cause DNS failures.
    Other options for ipa-client-install are listed in Section B.6.1, “ipa-client-install”.

    NOTE

    There is an --on-master option that is used as part of configuring an FreeIPA server (which also is an FreeIPA client, since it is within the domain). This option should never be used when configuring a regular FreeIPA client, because it results in slightly different client configuration which may not work on a non-FreeIPA server machine.
  4. If prompted, enter the domain name for the FreeIPA's DNS domain.
    DNS discovery failed to determine your DNS domain
    Please provide the domain name of your IPA server (ex: example.com): example.com
  5. If prompted, enter the fully-qualified domain name of the FreeIPA server. Alternatively, use the --server option with the client installation script to supply the fully-qualified domain name of the FreeIPA server.
    DNS discovery failed to find the IPA Server
    Please provide your IPA server name (ex: ipa.example.com): ipaserver.example.com

    IMPORTANT

    This must be a valid DNS name, which means only numbers, alphabetic characters, and hyphens (-) are allowed. Other characters, like underscores, in the hostname will cause DNS failures.
  6. The client script then prompts for a Kerberos identity to use to contact and then join the Kerberos realm. When these credentials are supplied, then the client is able to join the FreeIPA Kerberos domain and then complete the configuration:
    Continue to configure the system with these values? [no]: yes
    User authorized to enroll computers: admin
    Password for admin@EXAMPLE.COM:
    Enrolled in FreeIPA realm EXAMPLE.COM
    Created /etc/ipa/default.conf
    Configured /etc/sssd/sssd.conf
    Configured /etc/krb5.conf for FreeIPA realm EXAMPLE.COM
    SSSD enabled
    Kerberos 5 enabled
    NTP enabled
    Client configuration complete.
    
  7. Test that the client can connect successfully to the FreeIPA domain and can perform basic tasks. For example, check that the FreeIPA tools can be used to get user and group information:
    $ id
    $ getent passwd userID
    $ getent group ipausers
  8. Set up NFS to work with Kerberos.

    TIP

    To help troubleshoot potential NFS setup errors, enable debug information in the /etc/sysconfig/nfs file.
    RPCGSSDARGS="-vvv"
    RPCSVCGSSDARGS="-vvv"
    1. On a FreeIPA server, add an NFS service principal for the NFS client.
      # ipa service-add nfs/ipaclient.example.com@EXAMPLE

      NOTE

      This must be run from a machine with the ipa-admintools package installed so that the ipa command is available.
    2. On the FreeIPA server, obtain a keytab for the NFS service principal.
      # ipa-getkeytab -s ipaserver.example.com -p nfs/ipaclient.example.com@EXAMPLE -k /tmp/krb5.keytab

      NOTE

      Some versions of the Linux NFS implementation have limited encryption type support. If the NFS server is hosted on a version older than Fedora 15, use the -e des-cbc-crc option to the ipa-getkeytab command for any nfs/<FQDN> service keytabs to set up, both on the server and on all clients. This instructs the KDC to generate only DES keys.
      When using DES keys, all clients and servers that rely on this encryption type need to have the allow_weak_crypto option enabled in the [libdefaults] section of the /etc/krb5.conf file. Without these configuration changes, NFS clients and servers are unable to authenticate to each other, and attempts to mount NFS filesystems may fail. The client's rpc.gssd and the server's rpc.svcgssd daemons may log errors indicating that DES encryption types are not permitted.
    3. Copy the keytab from the FreeIPA server to the NFS server. For example, if the FreeIPA and NFS servers are on different machines:
      # scp /tmp/krb5.keytab root@nfs.example.com:/etc/krb5.keytab
    4. Copy the keytab from the FreeIPA server to the FreeIPA client. For example:
      # scp /tmp/krb5.keytab root@client.example.com:/etc/krb5.keytab
    5. Configure the /etc/exports file on the NFS server.
      /ipashare       gss/krb5p(rw,no_root_squash,subtree_check,fsid=0)
    6. On the client, mount the NFS share. Use the same -o sec setting as is used in the /etc/exports file for the NFS server.
      [root@client ~]# mount -v -t nfs4 -o sec=krb5p nfs.example.com:/ /mnt/ipashare