FreeIPA
An AD Server.
This guide assumes Fedora 40+.
Quickstart
https://www.freeipa.org/page/Quick_Start_Guide
- Set your hostname to your server's fqdn with
hostnamectl hostname freeipa.reeselink.com - Ensure you have a DNS entry pointing to your host
- Open ports:
firewall-cmd --add-service=freeipa-ldap --add-service=freeipa-ldaps
firewall-cmd --add-service=freeipa-ldap --add-service=freeipa-ldaps --permanent
- Set a permanet DNS resolver:
sudo echo "nameserver 1.1.1.1" > /etc/resolv.conf - Disable NetworkManager DNS management
vim /etc/NetworkManager/NetworkManager.conf
[main]
dns=none
- Restart NetworkManager:
systemctl restart NetworkManager - Ensure resolv.conf hasn't been repopulated:
cat /etc/resolv.conf - Install freeipa:
dnf install -y freeipa-server freeipa-server-dns - Install the server (mostly choose defaults and sane options):
ipa-server-install - Authenticate as admin:
kinit admin
Adding a user
ipa user-addipa passwd <user>kinit <user>
Arch Client
- Install krb5:
pacman -S krb5 - Edit /etc/krb5.conf to match your server
vim /etc/krb5.conf
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
default_realm = REESELINK.COM
dns_lookup_realm = false
dns_lookup_kdc = true
rdns = false
ticket_lifetime = 24h
forwardable = true
udp_preference_limit = 0
default_ccache_name = KEYRING:persistent:%{uid}
[realms]
REESELINK.COM = {
kdc = freeipa.reeselink.com:88
master_kdc = freeipa.reeselink.com:88
kpasswd_server = freeipa.reeselink.com:464
admin_server = freeipa.reeselink.com:749
default_domain = reeselink.com
pkinit_anchors = FILE:/var/lib/ipa-client/pki/kdc-ca-bundle.pem
pkinit_pool = FILE:/var/lib/ipa-client/pki/ca-bundle.pem
}
[domain_realm]
.reeselink.com = REESELINK.COM
reeselink.com = REESELINK.COM
freeipa.reeselink.com = REESELINK.COM
- Log in with your user:
kinit <user> - List your tickets:
klist