Product SiteDocumentation Site

Chapter 3. Setting up Systems as FreeIPA Clients

3.1. What Happens in Client Setup
3.2. Supported Platforms for FreeIPA Clients
3.3. Configuring a Fedora System as a FreeIPA Client
3.4. Manually Configuring a Linux Client
3.5. Configuring a Solaris System as a FreeIPA Client
3.5.1. Configuring Solaris 10
3.5.2. Configuring Solaris 9
3.6. Configuring an HP-UX System as a FreeIPA Client
3.6.1. Configuring NTP
3.6.2. Configuring LDAP Authentication
3.6.3. Configuring Kerberos
3.6.4. Configuring PAM
3.6.5. Configuring SSH
3.6.6. Configuring Access Control
3.6.7. Testing the Configuration
3.7. Configuring an AIX System as a FreeIPA Client
3.7.1. Prerequisites
3.7.2. Configuring the AIX Client
3.8. Troubleshooting Client Installations
3.9. Uninstalling a FreeIPA Client
A client is any system which is a member of the FreeIPA domain. While this is frequently a Fedora system (and FreeIPA has special tools to make configuring Fedora clients very simple), machines with other operating systems can also be added to the FreeIPA domain.
One important aspect of a FreeIPA client is that only the system configuration determines whether the system is part of the domain. (The configuration includes things like belonging to the Kerberos domain, DNS domain, and having the proper authentication and certificate setup.)

NOTE

FreeIPA does not require any sort of agent or daemon running on a client for the client to join the domain. However, for the best management options, security, and performance, clients should run the System Security Services Daemon (SSSD).
For more information on SSSD, see the SSSD project page.
This chapter explains how to configure a system to join a FreeIPA domain.

NOTE

Clients can only be configured after at least one FreeIPA server has been installed.

3.1. What Happens in Client Setup

Whether the client configuration is performed automatically on Fedora systems using the client setup script or manually on other systems, the general process of configuring a machine to serve as a FreeIPA client is mostly the same, with slight variation depending on the platform:
  • Retrieve the CA certificate for the FreeIPA CA.
  • Create a separate Kerberos configuration to test the provided credentials. This enables a Kerberos connection to the FreeIPA XML-RPC server, necessary to join the FreeIPA client to the FreeIPA domain. This Kerberos configuration is ultimately discarded.
    Setting up the Kerberos configuration includes specifying the realm and domain details, and default ticket attributes. Forwardable tickets are configured by default, which facilitates connection to the administration interface from any operating system, and also provides for auditing of administration operations. For example, this is the Kerberos configuration for Fedora systems:
    [libdefaults]
    default_realm = EXAMPLE.COM
    dns_lookup_realm = false
    dns_lookup_kdc = false
    rdns = false
    forwardable = yes
    ticket_lifetime = 24h
    
    [realms]
    EXAMPLE.COM = {
          kdc = ipaserver.example.com:88
          admin_server = ipaserver.example.com:749
          }
    [domain_realm]
    .example.com = EXAMPLE.COM
    example.com = EXAMPLE.COM
    
  • Run the ipa-join command to perform the actual join
  • Obtain a service principal for the host service and installs it into /etc/krb5.keytab. For example, host/ipa.example.com@EXAMPLE.COM.
  • Enable certmonger, retrieve an SSL server certificate, and install the certificate in /etc/pki/nssdb.
  • Disable the nscd daemon.
  • Configures SSSD or LDAP/KRB5, including NSS and PAM configuration files.
  • Configure NTP.