UbuntuUbuntu Based

How To Install FreeIPA on Ubuntu 24.04 LTS

r00t

Install FreeIPA on Ubuntu 24.04

FreeIPA is a powerful and versatile identity management solution that provides centralized authentication, authorization, and account information for Linux environments. By leveraging technologies like Kerberos, SSO (Single Sign-On), DNS, and certificate management, FreeIPA streamlines the control and security of user and host credentials. Its integration capabilities make it especially appealing for businesses or individuals who need a cohesive platform to manage multiple servers and client systems.

Ubuntu 24.04, being the next-generation LTS (Long-Term Support) release, offers cutting-edge stability and updated packages, making it an ideal environment to install FreeIPA. This guide presents a detailed, step-by-step tutorial on how to set up FreeIPA on Ubuntu 24.04. It covers prerequisites, installation procedures, configuration steps, and best practices for security and maintenance. By following this guide, you will be well on your way to seamlessly implementing centralized identity and authentication within your infrastructure.

System Requirements

Before diving into this tutorial on how to install FreeIPA on Ubuntu 24.04, ensure that your environment meets the following requirements:

  • Hardware Specifications: A minimum of 2 GB of RAM is recommended, although more memory is beneficial for environments where multiple hosts interact with the FreeIPA server. At least 20 GB of disk space is a good starting point, but this may increase depending on the number of accounts, logs, and backups.
  • Stable Network Connection: A reliable Ethernet or Wi-Fi connection is essential. FreeIPA relies heavily on DNS and other networking services, so a stable connection prevents communication failures.
  • Fully Qualified Domain Name (FQDN): Your server should have a valid FQDN, for example ipa.example.com. Proper domain naming is critical for certificate issuance and realm configuration.
  • Time Synchronization: Make sure the system clock is accurate. FreeIPA depends on synchronized timestamps to authenticate and manage tickets efficiently.

Pre-Installation Setup

Proper preparation of your Ubuntu 24.04 system ensures minimal hiccups during the FreeIPA installation. Below are important steps to follow:

  1. Update the System: Start by updating existing packages: 
    sudo apt update
sudo apt upgrade -y

    Keeping your system up-to-date guarantees that you have the latest security patches and bug fixes.

  2. Configure the Fully Qualified Domain Name (FQDN): Ensure your system hostname is set to a valid domain name. For example: 
    sudo hostnamectl set-hostname ipa.example.com

    Then verify the change:

    hostnamectl
  3. Edit the Hosts File: Add the hostname and IP address to /etc/hosts if DNS is not yet configured: 
    sudo nano /etc/hosts
# Add the following line
192.168.1.10   ipa.example.com   ipa
  4. Sync System Time with NTP: Accurate time is crucial for Kerberos-based services. Install and enable NTP or chrony: 
    sudo apt install chrony -y
sudo systemctl enable chrony
sudo systemctl start chrony

Once these steps are completed, you are ready to install and configure FreeIPA on Ubuntu 24.04 with minimal disruption. Properly configuring DNS and the system clock significantly reduces troubleshooting complexities later in the process.

Installing FreeIPA Client Packages

While FreeIPA can function as its own server, it is not uncommon to begin with the FreeIPA client installation to ensure that your Ubuntu 24.04 machine is correctly set up to interface with an existing FreeIPA server. However, if you plan on installing the FreeIPA server on this same machine, these packages also lay the groundwork for the core server components. Here is how to proceed:

  1. Enable the Repository (if needed): In most cases, the official Ubuntu 24.04 repositories contain the necessary FreeIPA packages. If the default repositories do not have them, you may need to add the appropriate repository, but typically this is not necessary with modern Ubuntu distributions.
  2. Install Required Packages: FreeIPA often requires various dependencies such as ipa-client, krb5-user, sssd, realmd, and others. Execute: 
    sudo apt update
sudo apt install freeipa-client freeipa-common sssd -y

    This command will automatically pull additional packages required for smooth operation, including python3-ipa libraries, Kerberos tools, and more.

  3. Package Verification: After installation, you can verify that the packages are in place by running: 
    dpkg -l | grep ipa

    This ensures you have the correct version of FreeIPA and related dependencies installed.

  4. Handle Installation Prompts: During installation, you may be prompted to configure certain aspects such as Kerberos realm. You can safely accept the defaults during this phase or customize them to match your realm and DNS structure.

Once these steps are completed, the FreeIPA client components are now installed. The next phase focuses on setting up and configuring key services that FreeIPA relies upon for centralized authentication and identity management.

Configuration Steps

The configuration phase is crucial for integrating your Ubuntu 24.04 system into a FreeIPA environment. This involves registering it under a realm, generating Kerberos tickets, configuring DNS, and ensuring each step is secure. Below are detailed instructions to guide you through this process.

1. Configure DNS Settings

DNS resolution must function properly, especially since FreeIPA registers hosts and services under the realm’s DNS. If you are using an external DNS server, make sure ipa.example.com resolves to the correct IP address. If an internal DNS server is managed by FreeIPA, double-check the zones and DNS records. You can verify by running:

host ipa.example.com

Any mismatch in DNS records can cause issues with certificate creation, Kerberos tokens, and host registration.

2. Initialize FreeIPA Client

The ipa-client-install command sets up your system to communicate with the FreeIPA server. Run the following command:

sudo ipa-client-install --mkhomedir --hostname=ipa.example.com \
--domain=example.com --realm=EXAMPLE.COM

Here is what each flag accomplishes:

  • --mkhomedir automatically creates home directories for new users the first time they log in.
  • --hostname sets your system’s hostname.
  • --domain defines the DNS domain name.
  • --realm sets the Kerberos realm name, typically the uppercase version of your domain.

During the client setup, you might be asked to provide an administrative username and password for the FreeIPA server. Additionally, you may encounter prompts about certificate issuance and SSSD configuration. Accept or adjust these according to your environment’s needs.

3. Validate Kerberos Tickets

To confirm connectivity with the Kerberos Key Distribution Center (KDC), use:

kinit admin
klist

The kinit admin command obtains a Kerberos ticket for the admin user. Then klist displays details about all active Kerberos tickets. If the ticket-granting process is successful, you should see the correct realm in the output.

4. Integrate System Services

With the client set up, verify that SSSD (System Security Services Daemon) is running. SSSD handles the identity and authentication services. Start and enable it:

sudo systemctl enable sssd
sudo systemctl start sssd

Review logs in /var/log/sssd/ if you suspect any misconfiguration. Properly functioning SSSD is critical for retrieving identity information and credentials.

5. Confirm Automatic Home Directory Creation

Since the --mkhomedir option was specified, each new user from the FreeIPA domain will have a home directory generated upon their initial login. This can be extremely convenient for multi-user systems, ensuring all accounts are properly compartmentalized.

At this stage, your Ubuntu 24.04 system should be fully integrated with the FreeIPA ecosystem and ready to authenticate domain users or manage identity components within the realm.

User Management

One of the primary benefits of using FreeIPA is centralized user management. Rather than configuring accounts on each Linux server individually, administrators can add, remove, and modify users within the FreeIPA realm. Below is an overview of how this management works.

Adding User Accounts

To add a new user in FreeIPA, log in to the FreeIPA server (or use your configured client if you have the right privileges) and run:

ipa user-add newuser --first=New --last=User --password

You will be prompted to set an initial password. Upon first login, the user is required to change this password, ensuring better security. Their shell, home directory, and UID are automatically managed by FreeIPA.

Group Management

Groups allow you to grant privileges to multiple users at once. For example, create a developers group:

ipa group-add developers --desc="Developer Group"

Then assign users to the group:

ipa group-add-member developers --users=newuser

Group membership simplifies permissions and policy management.

Password Policy and Security

FreeIPA provides password policy options to enforce complexity and expiration. Configuring these policies ensures stronger security standards across your environment. To view or modify the default policy:

ipa pwpolicy-show --user=newuser

Adjust the rules as necessary to comply with your organization’s requirements, such as password minimum length, complexity, and rotation schedule.

Through centralized authentication and group management, FreeIPA streamlines identity administration, allowing Linux environments to scale with ease while maintaining robust security controls.

Testing and Verification

After configuring the system and managing users, a thorough test ensures that everything works as intended. Below are essential steps for verifying your FreeIPA integration on Ubuntu 24.04.

  1. SSH Test: Attempt SSH login to the machine using a FreeIPA user: 
    ssh newuser@ipa.example.com

    If you successfully authenticate and a home directory is created for newuser, it confirms that the SSSD configuration is functioning and Kerberos tickets are being granted.

  2. Check Kerberos Tickets: On the client machine, verify that tickets have been issued: 
    klist

    Look for valid tickets for the logged-in user. If klist shows the user’s principal in the correct realm, everything is in order.

  3. Ensure DNS Resolution: An essential piece of the integration puzzle is DNS. If lookup failures occur, confirm DNS records, host entries, or consult logs: 
    journalctl -u sssd.service
  4. System Integration Checks: Tools such as getent passwd should list FreeIPA realm users. This verifies that the system obtains user and group information from FreeIPA properly.

If all these checks pass, the Ubuntu 24.04 client has been successfully integrated into the FreeIPA environment.

Troubleshooting Guide

While setting up FreeIPA, a number of common issues can arise. Familiarity with these pitfalls can expedite problem resolution:

  • Certificate Problems: Incorrect certificate issuance or mismatched domain names can prevent Kerberos from authenticating. Double-check your DNS records and confirm the server’s FQDN matches what is listed in the certificate.
  • DNS Resolution Issues: If the client cannot find the FreeIPA server, authentication fails. Ensure that ipa.example.com resolves properly and that your /etc/resolv.conf or DNS server settings include the correct domain entries.
  • Authentication Failures: When kinit or login attempts fail, check the time synchronization. Any drift beyond a few seconds can invalidate Kerberos tickets.
  • Installation Conflicts: If packages are partially installed, remove or purge them before attempting a fresh install to avoid dependency conflicts.

By methodically examining these areas, you can isolate the root cause of errors and ensure a stable, secure FreeIPA setup on Ubuntu 24.04.

Security Considerations

Security lies at the heart of FreeIPA, especially since it consolidates identity and authentication. Follow these practices to ensure the platform remains protected:

  • Firewall Configuration: Restrict FreeIPA-related ports (389 for LDAP, 636 for LDAPS, 88/464 for Kerberos) to internal networks if possible. Use ufw or a similar firewall tool to manage inbound connections.
  • SSL/TLS Implementation: Place the FreeIPA server behind SSL/TLS to safeguard data in transit. Use valid certificates that match your organization’s domain.
  • Least Privilege Model: Assign administrative privileges only to the appropriate staff. Regularly audit privileges to prevent unauthorized access.
  • Regular Password Policy Updates: Update password policies to enforce strong user credentials. Encourage passphrase-style passwords or use two-factor authentication if available.

Taking these steps goes a long way toward maintaining a hardened environment. As FreeIPA often interacts with mission-critical identity and access services, ensuring robust security is essential for ongoing reliability.

Maintenance and Updates

After installing FreeIPA on Ubuntu 24.04, ongoing maintenance ensures long-term stability and reliability. Key tasks include:

  • Regular Software Updates: Periodically apply security patches to Ubuntu and FreeIPA packages: 
    sudo apt update
sudo apt upgrade -y

    Outdated Kerberos libraries or identity modules can expose vulnerabilities.

  • Data Backups: Regularly back up FreeIPA configuration, including LDAP entries and certificate authorities. This practice prevents data loss in the event of hardware failure or accidental deletion.
  • Performance Monitoring: Monitor CPU, memory, and disk usage on your FreeIPA server. Overburdened resources can slow down or disrupt authentication requests.
  • Rotating Log Files: Logs can grow significantly over time, so implement a rotation policy to keep your disk usage in check.
  • Periodic Health Checks: Test Kerberos tickets and LDAP queries to confirm that user authentication remains functional. Some administrators automate these checks with monitoring tools that send alerts if the system goes down.

By creating a clear schedule for updates and backups, FreeIPA remains resilient and can easily expand to meet increasing security and identity management needs.

Congratulations! You have successfully installed FreeIPA. Thanks for using this tutorial for installing the FreeIPA on Ubuntu 24.04 LTS system. For additional help or useful information, we recommend you check the official FreeIPA website.

VPS Manage Service Offer
If you don’t have time to do all of this stuff, or if this is not your area of expertise, we offer a service to do “VPS Manage Service Offer”, starting from $10 (Paypal payment). Please contact us to get the best deal!
Tags
r00t
Photo of r00t

r00t

r00t is an experienced Linux enthusiast and technical writer with a passion for open-source software. With years of hands-on experience in various Linux distributions, r00t has developed a deep understanding of the Linux ecosystem and its powerful tools. He holds certifications in SCE and has contributed to several open-source projects. r00t is dedicated to sharing her knowledge and expertise through well-researched and informative articles, helping others navigate the world of Linux with confidence.
Copyright © 2025 idroot.us | All Rights Reserved | Follow us for more Linux tutorials!
Back to top button