Rocky_Linux_8
Sponsored Link

FreeIPA : Configure Client (One-Time Pass)2021/08/04

 
Configure FreeIPA Client with One-Time Password provided from FreeIPA Server.
This example is based on the environment like follows.
+----------------------+          |          +----------------------+
| [  FreeIPA Server  ] |10.0.0.40 | 10.0.0.62| [  FreeIPA Client  ] |
|  dlp.ipa.srv.world   +----------+----------+ node02.ipa.srv.world |
|                      |                     |                      |
+----------------------+                     +----------------------+

[1] Add DNS entry for FreeIPA Client in integrated DNS on FreeIPA Server.
(if not using FreeIPA integrated DNS, skip this step)
And also Generate One-Time Password for FreeIPA Client to authenticate.
[root@dlp ~]#
ipa dnsrecord-add ipa.srv.world node02 --a-rec 10.0.0.62

  Record name: node02
  A record: 10.0.0.62
[root@dlp ~]#
ipa host-add node02.ipa.srv.world --random

---------------------------------
Added host "node02.ipa.srv.world"
---------------------------------
  Host name: node02.ipa.srv.world
  Random password: 7BkPGp560hTfFkT4EP5BrDO
  Password: True
  Keytab: False
  Managed by: node02.ipa.srv.world
[2]
[3] Install FreeIPA Client packages.
[root@node02 ~]#
dnf module -y install idm:DL1/client
[4] Setup FreeIPA Client.
# set DNS to FreeIPA server host

[root@node02 ~]#
nmcli connection modify enp1s0 ipv4.dns 10.0.0.40

[root@node02 ~]#
nmcli connection down enp1s0; nmcli connection up enp1s0
# setup FreeIPA client

# specify one-time password generated on FreeIPA Server for [--password] option

[root@node02 ~]#
ipa-client-install --password '7BkPGp560hTfFkT4EP5BrDO'

This program will set up IPA client.
Version 4.9.2

.....
.....

Client hostname: node02.ipa.srv.world
Realm: IPA.SRV.WORLD
DNS Domain: ipa.srv.world
IPA Server: dlp.ipa.srv.world
BaseDN: dc=ipa,dc=srv,dc=world

# confirm settings and answer [yes]
Continue to configure the system with these values? [no]: yes
Synchronizing time
No SRV records of NTP servers found and no NTP server or pool address was provided.
Using default chrony configuration.
Attempting to sync time with chronyc.
Time synchronization was successful.
Do you want to download the CA cert from http://dlp.ipa.srv.world/ipa/config/ca.crt ?
(this is INSECURE) [no]: yes
Successfully retrieved CA cert
    Subject:     CN=Certificate Authority,O=IPA.SRV.WORLD
    Issuer:      CN=Certificate Authority,O=IPA.SRV.WORLD
    Valid From:  2021-08-04 03:13:25
    Valid Until: 2041-08-04 03:13:25

Enrolled in IPA realm IPA.SRV.WORLD
Created /etc/ipa/default.conf
Configured sudoers in /etc/authselect/user-nsswitch.conf
Configured /etc/sssd/sssd.conf
Configured /etc/krb5.conf for IPA realm IPA.SRV.WORLD
Systemwide CA database updated.
Adding SSH public key from /etc/ssh/ssh_host_ed25519_key.pub
Adding SSH public key from /etc/ssh/ssh_host_ecdsa_key.pub
Adding SSH public key from /etc/ssh/ssh_host_rsa_key.pub
SSSD enabled
Configured /etc/openldap/ldap.conf
Principal is not set when enrolling with OTP; using principal 'admin@ipa.srv.world' for 'getent passwd'
Configured /etc/ssh/ssh_config
Configured /etc/ssh/sshd_config
Configuring ipa.srv.world as NIS domain.
Client configuration complete.
The ipa-client-install command was successful

# set if you need (creare home directory at initial login)

[root@node02 ~]#
authselect enable-feature with-mkhomedir

[root@node02 ~]#
systemctl enable --now oddjobd
[root@node02 ~]#
logout
Rocky Linux 8.4 (Green Obsidian)
Kernel 4.18.0-305.3.1.el8_4.x86_64 on an x86_64

Activate the web console with: systemctl enable --now cockpit.socket

node02 login: rocky       # FreeIPA user
Password:                 # password
Password expired. Change your password now.  # required to change password at initial login
Current Password:         # current password
New password:             # new one
Retype new password:
[rocky@node02 ~]$         # logined
Matched Content