Setup IPA client to authenticate with Active Directory

Solution Verified - Updated -

Environment

  • Red Hat Enterprise Linux 9
  • Red Hat Enterprise Linux 8
  • Red Hat Enterprise Linux 7

Resolution

The instructions below, apply to IPA clients, for IPA servers see Setup IPA Server to authenticate with Active Directory.

  1. Set up the DNS to IPA master:
# vi /etc/resolv.conf
# Generated by NetworkManager
search idm.example.local
nameserver 192.168.122.y

Note! Put the IPA of the DNS server. It can be internal or external. This depends on how the IPA server was installed.

  1. Check if the client can reach out to the IPA master by ports as shown below:
[root@client~]# nmap ipaserver.idm.example.local

Starting Nmap 6.40 ( http://nmap.org ) at 2023-08-29 12:37 -03
Nmap scan report for ipaserver.idm.example.local (192.168.122.y)
Host is up (0.00043s latency).
Not shown: 991 filtered ports
PORT     STATE  SERVICE
22/tcp   open   ssh
53/tcp   open   domain
80/tcp   open   http
88/tcp   open   kerberos-sec
389/tcp  open   ldap
443/tcp  open   https
464/tcp  open   kpasswd5
636/tcp  open   ldapssl
9090/tcp closed zeus-admin
MAC Address: 52:54:00:44:BB:71 (QEMU Virtual NIC)

Or make a Telnet check:

# for port in 53 80 88 123 389 443 464 636 3268 3269; do timeout 6s curl -v telnet://ad.example.local:$port; done; echo -e '\nPort Checking Done!\n'
  1. Add the following service on the firewall-cmd:
    For RHEL 7:
# firewall-cmd --add-service={freeipa-clients,ssh} --permanent
# firewall-cmd --reload

For RHEL 8 and 9:

# firewall-cmd --add-service=freeipa-clients freeipa-trust ssh --permanent
# firewall-cmd --reload
  1. Check the connection with the Active Directory and IDM server.
# dig +short -t SRV _ldap._tcp.<idm.example.local>
# dig +short -t SRV _ldap._tcp.<example.local>
  1. Install the ipa-client package (For RHEL 7/9)
[root@client~]# yum install ipa-client -y

For RHEL 8:

# yum module enable idm:DL1
# yum distro-sync
# yum module install idm:DL1/client
  1. Run client setup (Please understand that this a generic template for the command, and reference should be made to the appropriate installation documentation for your RHEL version, linked at the bottom of this article):
[root@client~]# ipa-client-install --mkhomedir --domain=idm.example.local --server=ipaserver.idm.example.local --fixed-primary  --principal=admin --password='<password>'
  1. After finishing the installation, check if you can get a Kerberos ticket and log in with an AD user.
# kinit -v <aduser>@EXAMPLE.LOCAL
# id <aduser>
# ssh <aduser>@example.local@127.0.0.1

Reference:
Installing an IdM client - RHEL 8

Installing packages required for an IdM client - RHEL 8

Prerequisites for Installing a Client - RHEL 7

  • Component
  • ipa

This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.

Comments