IDM add Ubuntu Client

Leave a Comment / By /

IDM Server GUI

  • Login into the IDM Webserver GUI
  • Add Server under Identity > Hosts > + Add

The Server must not be defined in DNS or else it can only be added in cli
{.is-info}

  • Enter Hostname, DNS-Zone, IP and Check Generate OTP [x]
  • Note the Token for later

IDM Server CLI

  • Login to the IDM Server via SSH
  • get admin token
kinit admin
  • Add Server
[root@idm ~]# ipa host-add --random host.domain.whaterver
----------------------------------
Added host "host.domain.whaterver"
----------------------------------
  Host name: host.domain.whaterver
  Random password: xxxOTPTokenxxx
  Password: True
  Keytab: False
  Managed by: host.domain.whaterver
  • Note the Token for later

Ubuntu Client

Now that you have created the Host config on the IDM Server you can setup the client.

Make sure your hostname is fully qualified (not client but client.domain.whatever)
You can change this with sudo hostnamectl set-hostname client.domain.whatever
{.is-info}

Make sure the client can resolve the idm-server either by usint it as the dns server or adding the record in /etc/hosts
{.is-info}

  • Install the package
sudo apt install freeipa-client oddjob-mkhomedir chrony libnss-ldapd libpam-ldapd ldap-utils
  • When promted for the kerberos Domain enter your domain in capital letters (DOMAIN.WHATEVER)
  • When promted with this view select the first three:
[*] passwd   
[*] group    
[*] shadow   
[ ] hosts    
[ ] networks 
[ ] ethers   
[ ] protocols
[ ] services 
[ ] rpc      
[ ] netgroup 
[ ] aliases
  • Now you can add the client
 sudo ipa-client-install --password 'xxxOTPTokenxxx' --server=idm.domain.whatever --domain domain.whatever --realm DOMAIN.WHATEVER
  • yes
  • enter
  • yes
  • yes

We need to set one more thing:

sudo pam-auth-update
[*] Pwquality password strength checking                               
[*] Unix authentication                                          
[*] SSS authentication                                           
[*] LDAP Authentication                                          
[*] Register user sessions in the systemd control group hierarchy
[*] Create home directory on login                               
[*] Inheritable Capabilities Management
  • Now you should be able to login with your IDM Users.

You can set HBAC and SUDO rules on the IDM Server
{.is-info}

Views: 65
Subscribe
Notify of
guest
0 Comments
Inline Feedbacks
View all comments
Scroll to Top