2.2. Configuring a Red Hat Enterprise Linux System as an IPA Client


There are two elements to prepare before beginning the client setup process for the Red Hat Enterprise Linux client:
  • There must be a way to connect the client machine to the Kerberos domain, either by having an available Kerberos identity (such as the admin user) or by manually adding the client machine to the KDC on the server with a one-time password before beginning the enrollment process for the client machine.
  • If there is an Active Directory server on the same network that serves DNS records, the Active Directory DNS records could prevent the client from automatically detecting the IPA server address. The ipa-client-install script retrieves the Active Directory DNS records instead of any records that were added for IPA.
    In this case, it is necessary to pass the IPA server address directly to the ipa-client-install script.
To configure the client:
  1. Install the client packages. These packages provide a simple way to configure the system as a client; they also install and configure SSSD.
    # yum install ipa-client
  2. If the IPA server is configured as the DNS server and is in the same domain as the client, add the server's IP address as the first entry in the client's /etc/resolv.conf file.

    Note

    If every machine in the domain will be an IPA client, then add the IPA server address to the DHCP configuration.
  3. Run the client setup command.
    # ipa-client-install --enable-dns-updates
    The --enable-dns-updates option updates DNS with the client machine's IP address. This option should only be used if the IPA server was installed with integrated DNS or if the DNS server on the network accepts DNS entry updates with the GSS-TSIG protocol.
    When using the --server option to specify the IPA server to register with, the server name must be a fully-qualified domain name.

    Important

    This must be a valid DNS name, which means only numbers, alphabetic characters, and hyphens (-) are allowed. Other characters, like underscores, in the hostname will cause DNS failures.

    Note

    There is an --on-master option that is used as part of configuring an IPA server (which also is an IPA client, since it is within the domain). This option should never be used when configuring a regular IPA client, because it results in slightly different client configuration which may not work on a non-IPA server machine.
  4. If prompted, enter the domain name for the IPA's DNS domain.
    DNS discovery failed to determine your DNS domain
    Please provide the domain name of your IPA server (ex: example.com): example.com
  5. If prompted, enter the fully-qualified domain name of the IPA server. Alternatively, use the --server option with the client installation script to supply the fully-qualified domain name of the IPA server.
    DNS discovery failed to find the IPA Server
    Please provide your IPA server name (ex: ipa.example.com): ipaserver.example.com

    Important

    This must be a valid DNS name, which means only numbers, alphabetic characters, and hyphens (-) are allowed. Other characters, like underscores, in the hostname will cause DNS failures.
  6. The client script then prompts for a Kerberos identity to use to contact and then join the Kerberos realm. When these credentials are supplied, then the client is able to join the IPA Kerberos domain and then complete the configuration:
    Continue to configure the system with these values? [no]: yes
    User authorized to enroll computers: admin
    Password for admin@EXAMPLE.COM:
    Enrolled in IPA realm EXAMPLE.COM
    Created /etc/ipa/default.conf
    Configured /etc/sssd/sssd.conf
    Configured /etc/krb5.conf for IPA realm EXAMPLE.COM
    SSSD enabled
    Kerberos 5 enabled
    NTP enabled
    Client configuration complete.
    
  7. Test that the client can connect successfully to the IPA domain and can perform basic tasks. For example, check that the IPA tools can be used to get user and group information:
    $ id
    $ getent passwd userID
    $ getent group ipausers
  8. Set up NFS to work with Kerberos.

    Note

    To help troubleshoot potential NFS setup errors, enable debug information in the /etc/sysconfig/nfs file.
    RPCGSSDARGS="-vvv"
    RPCSVCGSSDARGS="-vvv"
    1. On an IPA server, add an NFS service principal for the NFS client.
      # ipa service-add nfs/ipaclient.example.com@EXAMPLE

      Note

      This must be run from a machine with the ipa-admintools package installed so that the ipa command is available.
    2. On the IPA server, obtain a keytab for the NFS service principal.
      # ipa-getkeytab -s ipaserver.example.com -p nfs/ipaclient.example.com@EXAMPLE -k /tmp/krb5.keytab

      Note

      Some versions of the Linux NFS implementation have limited encryption type support. If the NFS server is hosted on a version older than Red Hat Enterprise Linux 5, use the -e des-cbc-crc option to the ipa-getkeytab command for any nfs/<FQDN> service keytabs to set up, both on the server and on all clients. This instructs the KDC to generate only DES keys.
      When using DES keys, all clients and servers that rely on this encryption type need to have the allow_weak_crypto option enabled in the [libdefaults] section of the /etc/krb5.conf file. Without these configuration changes, NFS clients and servers are unable to authenticate to each other, and attempts to mount NFS filesystems may fail. The client's rpc.gssd and the server's rpc.svcgssd daemons may log errors indicating that DES encryption types are not permitted.
    3. Copy the keytab from the IPA server to the NFS server. For example, if the IPA and NFS servers are on different machines:
      # scp /tmp/krb5.keytab root@nfs.example.com:/etc/krb5.keytab
    4. Copy the keytab from the IPA server to the IPA client. For example:
      # scp /tmp/krb5.keytab root@client.example.com:/etc/krb5.keytab
    5. Configure the /etc/exports file on the NFS server.
      /ipashare       gss/krb5p(rw,no_root_squash,subtree_check,fsid=0)
    6. On the client, mount the NFS share. Use the same -o sec setting as is used in the /etc/exports file for the NFS server.
      [root@client ~]# mount -v -t nfs4 -o sec=krb5p nfs.example.com:/ /mnt/ipashare
Red Hat logoGithubRedditYoutubeTwitter

Learn

Try, buy, & sell

Communities

About Red Hat Documentation

We help Red Hat users innovate and achieve their goals with our products and services with content they can trust.

Making open source more inclusive

Red Hat is committed to replacing problematic language in our code, documentation, and web properties. For more details, see the Red Hat Blog.

About Red Hat

We deliver hardened solutions that make it easier for enterprises to work across platforms and environments, from the core datacenter to the network edge.

© 2024 Red Hat, Inc.