How to setup domain in Centos / Red Hat

Why title like this? Because it is aimed mostly on Windows admins / engineers who are new to identity management on Linux environment.

FreeIPA is domain controller for the Linux/Unix machines, it defines domain, using domain controllers and enrolled clients, it is something like Active Directory in Microsoft world.

I won’t get into technical details about FreeIPA, you can get those throughout the internet.

System requirements:

2vCPUs

It says 2GB of RAM, but with 4GB it works best.

10GB of disk space as minimal requirement.

Clean installation of CentOS 8/RHEL with no other services on it.

Port 443 and 80 needs to be free on the machine.

Your machine needs a FQDN defined before start.

Prerequisites:

You will need to define hostname and time zone on your machine which will hold FreeIPA installation.

Here is the Centos / Red Hat hostname tutorial – https://www.informaticar.net/how-to-set-hostname-in-centos-red-hat/

Here are the time related / NTP tutorials for Centos / Red Hat

https://www.informaticar.net/set-time-and-date-in-centos-red-hat/

Installation:

First, we will deal with SELinux, since it can cause problems with installation.

sudo setenforce 0
sudo sed -i 's/^SELINUX=.*/SELINUX=permissive/g' /etc/selinux/config

Next, we will check available modules on RHEL Appstream Repos

sudo yum module list idm

As it can be seen from the screenshot, DL1 is server module, while client is – well, client.

We can also get some more info about DL1 package by running following command:

sudo yum module info idm:DL1

We will now first install DL1 and then FreeIPA server.

sudo yum -y install @idm:DL1

There are two choices when installing FreeIPA, just install FreeIPA or install FreeIPA with DNS.

If you are going to install just FreeIPA then use following command

sudo yum -y install freeipa-server

If you opted for FreeIPA with DNS, then go with the following command:

sudo yum install ipa-server-dns bind-dyndb-ldap

You will also need bind, so commands are included above. I will use command with DNS as option.

Installation phase is complete.

Configuration:

First, we need to give a valid hostname to our FreeIPA host. 

I already gave my machine valid hostname and I can ping it.

ping -c 4 dc.test.local -4

In case you don’t have DNS you can modify /etc/hosts file to include FreeIPA host IP and hostname.

(change 10.20.10.7 and dc.test.local to IP and name that fits you)

echo "10.20.10.7 dc.test.local" | sudo tee -a /etc/hosts

Now, again – two choices – to just configure FreeIPA, or configure FreeIPA and DNS

First is:

sudo ipa-server-install

And second one with DNS setup option is:

sudo ipa-server-install --setup-dns

I will use FreeIPA + DNS setup

Let’s go. 

My setup will include following steps

  * Configure a stand-alone CA (dogtag) for certificate management

  * Configure the NTP client (chronyd)

  * Create and configure an instance of Directory Server

  * Create and configure a Kerberos Key Distribution Center (KDC)

  * Configure Apache (httpd)

  * Configure DNS (bind)

  * Configure the KDC to enable PKINIT

My FreeIPA server name is DC and domain will be test.local

Enter your machine name and domain and press enter

Next, I need to confirm domain name – in my case test.local

Realm name will in my case be the same, just in uppercase

Next, we will define Directory Manager password. As always – make sure you securely store passwords and use strong passwords (I will use weak for the LAB). You will also be asked to repeat password.

Next step is administrative FreeIPA user – name admin. We will define password for it.I missed it first time ?

Next up, DNS

First question is do you need DNS forwarders, I will configure them, you can type In no and skip if you don’t need them

I already entered 8.8.8.8 in my DNS so I will just confirm it as DNS with yes

I won’t input second DNS forwarder so I will just press enter

I will also confirm with yes, search for the missing reverse zones

After that you will be asked to confirm reverse zones and enter names (you can use names suggested in answers)

You will also be offered to configure NTP server, I selected no, because I already configured chrony prior to this setup. NTP server is extremely important so make sure to configure one.

You will then be presented with your configuration, my configuration is ok, so I will confirm my config with yes

Starting installation…

And after few minutes, summary is displayed, successful install should look like to one pictured below.

Well, as recommended in last setup steps, we should open few ports in our firewall.

(double minuses before add and permanent)

sudo firewall-cmd --add-service={http,https,dns,ntp,freeipa-ldap,freeipa-ldaps} --permanent

I already have NTP configured, so it is displayed as warning.

Reload firewall service

(double minuses before reload)

sudo firewall-cmd --reload

Now, in the end, lets open the browser on FreeIPA server and type in

https://dc.test.local/

You already set password for IPA user admin during setup, so enter user and pass and log in

Now, let’s try and use command line

I entered a command just to list user accounts, and got this

sudo ipa user-find

So, first step will be to get a Kerberos ticket

sudo kinit admin

We will then check ticket expiration by typing in:

klist

Next, we will set default shell for FreeIPA to /bin/bash

(double minuses before default)

sudo ipa config-mod --defaultshell=/bin/bash

And now we will add a user account (I will add user named Korisnik1)

(double minuses before first, last, email, password)

sudo ipa user-add Korisnik1 --first=Korisnik1 --last=User --email=Korisnik1@test.local --password

Now, let’s try again command

sudo ipa user-find

New user can also be seen in web browser

We will now try to login as korisnik in terminal

ssh korisnik@localhost

Uninstall

If for whatever reason you wish to uninstall FreeIPA, command is:

(double minuses before uninstall)

sudo ipa-server-install --uninstall

Disclaimer