Rocky Linux 9 Server Installation, FreeIPA (Identity, Policy Management) deployment, DHCP Installation and Linux Client Domain Join
(Update) I added the section “DHCP Dynamic DNS Update”, to allow the DHCP server to update the DNS entries.
Hello everyone,
recently (basically the last post) I created a series on how to deploy a “Windows Server Environment from Scratch”, in which I go through the installation and configuration of several Windows services to bootstrap a server infrastructure for an imaginary small business.
In this series, I want to do the same with Linux. I don’t have too much experience with what I want to do in this, so we will see how this goes. Furthermore, I don’t even know if I can accomplish some of the things I did in the other series.
Not because it’s not possible, but mainly because I don’t know how. Again, we will see :)
Let’s begin.
System Information
| Hostname | IP | Function |
|---|---|---|
| TEST-IPA01 | 192.168.152.220/24 | Identity, Policy Management, DNS, DHCP, Certificate Authority |
| TEST-FEDORA | 192.168.152.225/24 | Linux Client |
Network Information
| Network | 192.168.152.0 |
|---|---|
| Subnet | 255.255.255.0 |
| Gateway | 192.168.152.254 |
Downloading the Rocky Linux 9 ISO
I will be using Rocky Linux 9.4 for the OS, but you could use whatever you prefer. If you use a Red Hat based distro, then the commands should be identical. With others, you might have to adjust.
For the hypervisor, I will be using Proxmox. Like in the previous series, the reason for that, because it’s already running. Again, you can use whatever you prefer, the hypervisor isn’t really relevant in this.
First, we need the ISO. You can download it from this URL. I will log into the Proxmox server and download it directly into the “ISO” folder.
proxmox :: ~ » cd /mnt/STORAGE/templates/isoproxmox :: iso » wget https://download.rockylinux.org/pub/rocky/9/isos/x86_64/Rocky-9.4-x86_64-minimal.iso
Rocky Linux Installation and base configuration
Rocky Linux Installation
Alright. Now, we will create our first VM. I will quickly go through the Proxmox configuration.
Start the VM and select “Install Rocky Linux 9.4”.
Select your preferred language, and click on “Continue”.
I will start with “Keyboard” configuration and work through each setup.
Let’s go through the network configuration quickly. Give the VM a hostname, I will use “test-ipa01.test.intra” and a static IP of “192.168.152.220/24”.
Hostname
Make sure the hostname is in lowercase. In the screenshot it did it wrong. FreeIPA does not like capital letters.
Once the configuration is done, click on “Begin Installation”.
Reboot the system.
That’s it for the installation. Let’s SSH into the server.
Rocky Linux base configuration
fedora :: ~ » ssh admin@192.168.152.220
Let’s run system updates, install the epel repository and a few applications.
# Update the systemadmin@TEST-IPA01 :: ~ » sudo dnf upgrade# Install the EPEL Repositoryadmin@TEST-IPA01 :: ~ » sudo dnf install epel-release# Install a few applicationsadmin@TEST-IPA01 :: ~ » sudo dnf install htop wget vim bash-completion
Reboot the system.
admin@TEST-IPA01 :: ~ » sudo reboot
Once we are back in, we have to prepare the system for the FreeIPA server installation.
First, we add the local hostname to the “hosts” file.
admin@TEST-IPA01 :: ~ » sudo vim /etc/hosts192.168.152.220 test-ipa01.test.intra test-ipa01
Next, we set the firewall. We will add the FreeIPA services, and DNS, to the allowed list.
# Add the rules permanently admin@TEST-IPA01 :: ~ » firewall-cmd --add-service={freeipa-4,dns} --permanent# Load then into the running configurationadmin@TEST-IPA01 :: ~ » firewall-cmd --reload
OK. Install the FreeIPA server.
admin@TEST-IPA01 :: ~ » sudo dnf install freeipa-server freeipa-server-dns
We can start with the FreeIPA configuration now.
FreeIPA Server Configuration
Alright. Now, I already have a guide on how to install and configure FreeIPA and I actually don’t want to basically create the same post again. At the same time, I want a single comprehensive guide on everything, I want to do in this series. Sooo, here is another guide on FreeIPA. This time on Rocky Linux 9.
Let’s begin. I will mark pressing the enter key with “ENTER”.
admin@TEST-IPA01 :: ~ » sudo ipa-server-install --setup-dns...Server host name [test-ipa01.test.intra]: Warning: skipping DNS resolution of host test-ipa01.test.intraThe domain name has been determined based on the host name.Please confirm the domain name [test.intra]: ENTERPlease provide a realm name [TEST.INTRA]: ENTERCertain directory server operations require an administrative user.This user is referred to as the Directory Manager and has full accessto the Directory for system management tasks and will be added to theinstance of directory server created for IPA.The password must be at least 8 characters long.Directory Manager password: PASSWORDPassword (confirm): PASSWORDThe IPA server requires an administrative user, named 'admin'.This user is a regular system account used for IPA server administration.IPA admin password: PASSWORDPassword (confirm): PASSWORDChecking DNS domain test.intra., please wait ...Do you want to configure DNS forwarders? [yes]: yesFollowing DNS servers are configured in /etc/resolv.conf: 192.168.152.254Do you want to configure these servers as DNS forwarders? [yes]: ENTERAll detected DNS servers were added. You can enter additional addresses now:Enter an IP address for a DNS forwarder, or press Enter to skip: DNS forwarders: 192.168.152.254Checking DNS forwarders, please wait ...Do you want to search for missing reverse zones? [yes]: ENTERChecking DNS domain 152.168.192.in-addr.arpa., please wait ...Do you want to create reverse zone for IP 192.168.152.220 [yes]: ENTERPlease specify the reverse zone name [152.168.192.in-addr.arpa.]: Checking DNS domain 152.168.192.in-addr.arpa., please wait ...Using reverse zone(s) 152.168.192.in-addr.arpa.Trust is configured but no NetBIOS domain name found, setting it now.Enter the NetBIOS name for the IPA domain.Only up to 15 uppercase ASCII letters, digits and dashes are allowed.Example: EXAMPLE.NetBIOS domain name [TEST]: ENTERDo you want to configure chrony with NTP server or pool address? [no]: yesEnter NTP source server addresses separated by comma, or press Enter to skip: 0.de.pool.ntp.orgThe IPA Master Server will be configured with:Hostname: test-ipa01.test.intraIP address(es): 192.168.152.220Domain name: test.intraRealm name: TEST.INTRAThe CA will be configured with:Subject DN: CN=Certificate Authority,O=TEST.INTRASubject base: O=TEST.INTRAChaining: self-signedBIND DNS server will be configured to serve IPA domain with:Forwarders: 192.168.152.254Forward policy: onlyReverse zone(s): 152.168.192.in-addr.arpa.NTP server: 0.de.pool.ntp.orgContinue to configure the system with these values? [no]: yes
Now, the configuration process will begin. Wait until it’s done, it will take a few minutes.
Once done, we can access the WebUI. If you didn’t enter the FreeIPA server as your DNS server, you will have to edit your local hosts file or add the server to the DNS configuration of your current DNS server.
I will edit my hosts file.
fedora :: ~ » sudo vim /etc/hosts192.168.152.220 test-ipa01.test.intra test-ipa01
Now, we can access the WebUI.
Enter the following into your browser. “https://test-ipa01.test.intra”.
Login with “admin” and the password you defined earlier in the configuration.
OK. We are in, but before we create a few users, I want to change a default setting.
Navigate to “IPA Server” -> “Configuration” and edit the “Default shell”. It should say, “/bin/sh” and I want to change it to a bash shell. Once done, click on “Save”.
Next we will start with creating a couple of users, “John Doe” and “Max Mustermann”. You can name them whatever you prefer.
In the “Identity” -> “Users” tab, click on “Add”.
Enter the username, password and click on “Add and Add Another”. Do the same for the second user, and click on “Add”.
Now we should have two users in the “users” tab.
Ok. Next, let’s set up a DHCP server. I will use the TEST-IPA01 server for this.
DHCP Server Installation and Configuration
DHCP Server installation
First, we need to install the application.
Log into the server via SSH and install the DHCP-Server.
admin@TEST-IPA01 :: ~ » sudo dnf install dhcp-server
DHCP Server configuration
Once installed, open the configuration file with your favorite text editor (I will use vim) and add the following lines. Make sure to type in your network information.
admin@TEST-IPA01 :: ~ » sudo vim /etc/dhcp/dhcp.confsubnet 192.168.152.0 netmask 255.255.255.0 { range 192.168.152.10 192.168.152.200; option subnet-mask 255.255.255.0; option routers 192.168.152.254; option domain-name-servers 192.168.152.220; option domain-name "test.intra";}
Start and enable the dhcp service.
admin@TEST-IPA01 :: ~ » sudo systemctl enable dhcpd --now
Next, add the firewall rules to allow DHCP requests.
admin@TEST-IPA01 :: ~ » sudo firewall-cmd --add-service dhcp --permanentadmin@TEST-IPA01 :: ~ » sudo firewall-cmd --reload
DHCP Dynamic DNS Update
At this point, the DHCP configuration would be done, but I would also like to enable dynamic DNS updates. This requires a few more steps.
First, create a key file. We need this to authenticate the DHCP server.
admin@TEST-IPA01 :: ~ » sudo rndc-confgen -a -b 512wrote key file "/etc/rndc.key"
Verify that the key was generated.
admin@TEST-IPA01 :: ~ » sudo cat /etc/rndc.keykey "rndc-key" { algorithm hmac-sha256; secret "MJurVJTAd6ltIG9KAtBjHbwYPM4jMByJyErGEcRYb5wgIHdQThl0CNtODGzkLy9fS6zkfguwA==";};
Alright. Now we edit the named.conf file under /etc/ and include the newly generated key file.
admin@TEST-IPA01 :: ~ » sudo vim /etc/named.conf...include "/etc/rndc.key";...
Next, we have to edit the bind update policy. Before we do this though, check the current configuration and make a note of the setting.
admin@TEST-IPA01 :: ~ » kinit adminadmin@TEST-IPA01 :: ~ » ipa dnszone-show test.intra Zone name: test.intra. Active zone: True Authoritative nameserver: test-ipa01.test.intra. Administrator e-mail address: hostmaster.test.intra. SOA serial: 1719830938 SOA refresh: 3600 SOA retry: 900 SOA expire: 1209600 SOA minimum: 3600 BIND update policy: grant TEST.INTRA krb5-self * A; grant TEST.INTRA krb5-self * AAAA; grant TEST.INTRA krb5-self * SSHFP; Dynamic update: True Allow query: any; Allow transfer: none;
Make sure, you note the red marked setting.
Now edit the policy.
admin@TEST-IPA01 :: ~ » ipa dnszone-mod test.intra --dynamic-update=True --update-policy='grant TEST.INTRA krb5-self * A; grant TEST.INTRA krb5-self * AAAA; grant TEST.INTRA krb5-self * SSHFP; grant "rndc-key" zonesub ANY;'
After restarting the service, the automatic updates should work.
admin@TEST-IPA01 :: ~ » sudo ipactl restart
FreeIPA Client DNS Updates
By the way. This is theoretically only for systems that are not joined into the IPA domain. For clients that will be joined, you can use the option "–enable-dns-updates" to automatically update the DNS entries.
ipa-client-install –enable-dns-updates –mkhomedir
Adding a client to the FreeIPA server
Installing the Client
I want to add a client to the system, so we can play around a bit more. For this, I will be using Fedora 40 GNOME, since I think this has the best enterprise login support of the desktop environments.
Like with the first ISO, I will download it directly into the ISO folder.
proxmox :: iso » wget https://download.fedoraproject.org/pub/fedora/linux/releases/40/Workstation/x86_64/iso/Fedora-Workstation-Live-x86_64-40-1.14.iso
Create a new VM on Proxmox with the Fedora ISO, the steps are identical to the first one, just replace the ISO with the new one.
Once it’s booted into the live ISO, click on “Install Fedora…”
Choose your language.
Go through the basic configuration and hit “Begin Installation”.
Once done, click on “Finish Installation” and reboot the client.
Adding the Client to FreeIPA
Once it’s booted up, we should see the “Setup” window.
Set the privacy configuration.
I will enable the “Third-Party Repositories”
Now, here is the step that differs from a normal setup. Make sure that the DNS server is the FreeIPA, otherwise the enterprise login will not work.
Click on the “Enterprise Login” in the bottom of the window.
Enter the domain and credentials for the user.
We should get a popup which requires us to enter the administrator credentials.
Make sure to enter a full hostname with the domain. So “fedora-gnome.test.intra” in my case, otherwise you will get an error.
Sudo Permissions
Keep in mind, that the first user that’s being added to the client, will be added to the “wheel” group, meaning they can execute sudo commands. If you don’t want that, either remove the user from the group by typing the following command after login.
usermod -r -G wheel
Or go through the setup without joining the domain and create a local user first. After that, you can join the client normally.
User Login
Another setting that differs from a later domain join. If you directly join the domain and register a user, only that user can login to this host. If you want to change this later, type in the following as an administrator.
realm permit –all
If you want to limit it to a specific user.
realm permit user@test.intra
If everything worked, you should get an “All done!” window.
After closing the window, nothing happened in my case. I think, it should login with the user, but I had to restart the client through the Proxmox UI. Anyway, after a reboot, we should see the login screen with the user we typed in earlier.
After typing in the password for the user, we will be asked to change it. Type in the new password and login.
Alright. We are logged in with a centralized FreeIPA user.
Ok. We deployed Rocky Linux 9, installed FreeIPA, configured a DHCP server and joined a client to the domain. We have our baseline now, next time we can start creating a few rules, testing the sudo permissions and adding a few more servers.
Till next time.
Kommentare