Product SiteDocumentation Site

Chapter 3. Setting up Systems as IPA Clients

3.1. What Happens in Client Setup
3.2. Supported Platforms for IPA Clients
3.3. Configuring a Red Hat Enterprise Linux System as an IPA Client
3.4. Manually Configuring a Linux Client
3.5. Configuring a Solaris System as an IPA Client
3.5.1. Configuring Solaris 10
3.5.2. Configuring Solaris 9
3.6. Configuring an HP-UX System as an IPA Client
3.6.1. Configuring NTP
3.6.2. Configuring LDAP Authentication
3.6.3. Configuring Kerberos
3.6.4. Configuring PAM
3.6.4.1. HP-UX 11i v2
3.6.4.2. HP-UX 11i v1
3.6.5. Configuring SSH
3.6.6. Configuring Access Control
3.6.7. Testing the Configuration
3.7. Configuring an AIX System as an IPA Client
3.7.1. Prerequisites
3.7.2. Configuring the AIX Client
3.8. Troubleshooting Client Installations
3.9. Uninstalling an IPA Client
A client is any system which is a member of the Identity Management domain. While this is frequently a Red Hat Enterprise Linux system (and IPA has special tools to make configuring Red Hat Enterprise Linux clients very simple), machines with other operating systems can also be added to the IPA domain.
One important aspect of an IPA client is that only the system configuration determines whether the system is part of the domain. (The configuration includes things like belonging to the Kerberos domain, DNS domain, and having the proper authentication and certificate setup.)

NOTE

IPA does not require any sort of agent or daemon running on a client for the client to join the domain. However, for the best management options, security, and performance, clients should run the System Security Services Daemon (SSSD).
For more information on SSSD, see the SSSD chapter in the Deployment Guide.
This chapter explains how to configure a system to join an IPA domain.

NOTE

Clients can only be configured after at least one IPA server has been installed.

3.1. What Happens in Client Setup

Whether the client configuration is performed automatically on Red Hat Enterprise Linux systems using the client setup script or manually on other systems, the general process of configuring a machine to serve as an IPA client is mostly the same, with slight variation depending on the platform:
  • Retrieve the CA certificate for the IPA CA.
  • Create a separate Kerberos configuration to test the provided credentials. This enables a Kerberos connection to the IPA XML-RPC server, necessary to join the IPA client to the IPA domain. This Kerberos configuration is ultimately discarded.
    Setting up the Kerberos configuration includes specifying the realm and domain details, and default ticket attributes. Forwardable tickets are configured by default, which facilitates connection to the administration interface from any operating system, and also provides for auditing of administration operations. For example, this is the Kerberos configuration for Red Hat Enterprise Linux systems: 
    [libdefaults]
default_realm = EXAMPLE.COM
dns_lookup_realm = false
dns_lookup_kdc = false
rdns = false
forwardable = yes
ticket_lifetime = 24h

[realms]
EXAMPLE.COM = {
      kdc = ipaserver.example.com:88
      admin_server = ipaserver.example.com:749
      }
[domain_realm]
.example.com = EXAMPLE.COM
example.com = EXAMPLE.COM
  • Run the ipa-join command to perform the actual join
  • Obtain a service principal for the host service and installs it into /etc/krb5.keytab. For example, host/ipa.example.com@EXAMPLE.COM.
  • Enable certmonger, retrieve an SSL server certificate, and install the certificate in /etc/pki/nssdb.
  • Disable the nscd daemon.
  • Configures SSSD or LDAP/KRB5, including NSS and PAM configuration files.
  • Configure NTP.