# FreeIPA An AD Server. This guide assumes Fedora 40+. ## Quickstart - Set your hostname to your server's fqdn with `hostnamectl hostname freeipa.reeselink.com` - Ensure you have a DNS entry pointing to your host - Open ports: ```bash firewall-cmd --add-service=freeipa-ldap --add-service=freeipa-ldaps firewall-cmd --add-service=freeipa-ldap --add-service=freeipa-ldaps --permanent ``` - Set a permanet DNS resolver: `sudo echo "nameserver 1.1.1.1" > /etc/resolv.conf` - Disable NetworkManager DNS management ```bash vim /etc/NetworkManager/NetworkManager.conf [main] dns=none ``` - Restart NetworkManager: `systemctl restart NetworkManager` - Ensure resolv.conf hasn't been repopulated: `cat /etc/resolv.conf` - Install freeipa: `dnf install -y freeipa-server freeipa-server-dns` - Install the server (mostly choose defaults and sane options): `ipa-server-install` - Authenticate as admin: `kinit admin` ## Adding a user - `ipa user-add` - `ipa passwd ` - `kinit ` ## Arch Client - Install krb5: `pacman -S krb5` - Edit /etc/krb5.conf to match your server ```conf vim /etc/krb5.conf [logging] default = FILE:/var/log/krb5libs.log kdc = FILE:/var/log/krb5kdc.log admin_server = FILE:/var/log/kadmind.log [libdefaults] default_realm = REESELINK.COM dns_lookup_realm = false dns_lookup_kdc = true rdns = false ticket_lifetime = 24h forwardable = true udp_preference_limit = 0 default_ccache_name = KEYRING:persistent:%{uid} [realms] REESELINK.COM = { kdc = freeipa.reeselink.com:88 master_kdc = freeipa.reeselink.com:88 kpasswd_server = freeipa.reeselink.com:464 admin_server = freeipa.reeselink.com:749 default_domain = reeselink.com pkinit_anchors = FILE:/var/lib/ipa-client/pki/kdc-ca-bundle.pem pkinit_pool = FILE:/var/lib/ipa-client/pki/ca-bundle.pem } [domain_realm] .reeselink.com = REESELINK.COM reeselink.com = REESELINK.COM freeipa.reeselink.com = REESELINK.COM ``` - Log in with your user: `kinit ` - List your tickets: `klist`