Welcome to Linux Forums! With a comprehensive Linux Forum, information on various types of Linux software and many Linux Reviews articles, we have all the knowledge you need a click away, or accessible via our knowledgeable members.
Find the answer to your Linux question:
Site Navigation
Linux Forums
Linux Articles
Product Showcase
Linux Downloads
Linux Hosting
Free Magazines
Job Board
IRC Chat
RSS Feeds
Free Publications


I created this article because the only existing article on how to install FreeIPA on Ubuntu was from 2010-2011 and had many steps that are no longer necessary. Bug has been fixed over time and it's now way easier to get it done successfully. We are still working intensively on improving and fixing bug and update to this current documentation will be made in the coming weeks / months. If you have any questions, visit us on freenode #ubuntu-freeipa # Date: 2013-02-27 # Ubuntu 12.04 (Precise) # # # Install FreeIPA Client version 2.1.4 # Configure FreeIPA Client version 2.1.4 with FreeIPA Server Version V2 or V3 # ########################################################################

0- Pre install step
This step will help if your DNS are not properly configured or if your client has issue to detect DNS configuration
In case your DNS are not configured properly, add the IPA server in your /etc/hosts file
Make sure you change the IP and hostname to the proper IPA server informations

echo "10.0.0.2 ipa.example.com" >> /etc/hosts


Make sure your resolv.conf contain your IPA server IP if your IPA server is also your DNS server.

nameserver 10.0.0.2


Set your hostname to a valid FQDN host.example.com

echo "testipaclient.example.com" > /etc/hostname
reboot



1- Add the ppa repository to fix issue with libnss3 not included with package FreeIPA-Client from the main repository

apt-get update;
apt-get upgrade;
apt-get -y install python-software-properties;
apt-add-repository http://ppa.launchpad.net/freeipa/ppa/ubuntu; 
apt-add-repository 'http://ppa.launchpad.net/sssd/updates/ubuntu'; 
apt-get update


2- Install FreeIPA Client 2.1.4 from main repository

apt-get install freeipa-client

It will ask you to enter your Kerberos realm.  
The realm is usually your domain name *FQDN* in upper case. Ex.: EXAMPLE.COM 
It will ask you to enter your Kerberos server and admin server.
  This is your FreeIPA server hostname

3- Configure FreeIPA Client to connect to the FreeIPA server
Refer to this documentation for the list of all options [url]https://docs.fedoraproject.org/en-US/Fedora/17/html/FreeIPA_Guide/Installing_the_IPA_Client_on_Linux.html[/url]

Install in interactive mode. 

ipa-client-install --enable-dns-updates


4- Configure FreeIPA client to create homedirectory on first login
edit /etc/pam.d/common-session and make it looks like this : 
It is important that pam_mkhomedir is before pam.sss.so and before pam_unix.so
 
session required        pam_mkhomedir.so umask=0022 skel=/etc/skel
session optional        pam_sss.so
session required        pam_unix.so


##########################
###            Work with                  ###
### IPA client 2.1.4                     ###
### IPA Server: V3.1.2 or V2.1.4 ###
#########################

Note: 
1. Use SSSD 1.9.4 from https://launchpad.net/~sssd/+archive/updates or the reset password after expiration will not be working.  


###
#  Please share this post so people can have a up to date guide to install FreeIPA on Ubuntu. 
#
###





 
Rate This Article: poor excellent
 
Comments about this article
Lots of errors, help...
writen by: andrewprecht on 2013-11-27 17:31:52
Hi,
On a fresh install of 12.04, in step 3, Install in interactive mode.
sudo ipa-client-install enable-dns-updates

I get the error:
IPA client is already configured on this system. If you want to reinstall the IPA client, uninstall it first using 'ipa-client-install uninstall'

So, I ran:
sudo ipa-client-install uninstall
And then deleted: /etc/ipa/default.conf I also removed the Ubuntu workstation from the FreeIPA host list and dns.

Then I whent back to steep 3, and ran:
sudo ipa-client-install enable-dns-updates

This time, I got the error:
Failed to add CA to the default NSS database.
Installation failed. Rolling back changes.

So, I added the directory /etc/pki/nssdb and did the uninstall steps and reran the install.

This time I got the error:
host_mod: 2.58 client incompatible with 2.46 server at u'https://ipa1.example.com/ipa/xml'
Failed to upload host SSH public keys.

I have read that this is not fatal so, I rebooted. There was only a choice of the local user and guest to login. So, I edited lightdm-set-defaults to show the other login:
sudo /usr/lib/lightdm/lightdm-set-defaults --show-manual-login true

And rebooted. Now I can switch to the other (login) button. But, no luck using any of the user accounts on the IPA server. I know these accounts work with my Centos servers. I tried user name, user name@example.com and example.com\user name. None worked. Once login with the local account I was able to run:
sudo id and get back the UID, GID and groups for the user. so my Ubuntu box is talking to my IPA server. But it's not looking to the IPA server for authentication.

Any help would be appreciated.
Thanks,
Andrew
RE: Lots of errors, help... written by andrewprecht:
RE: Lots of errors, help...
writen by: andrewprecht on 2013-12-02 15:18:53
I would add:
Here is what I'm seeing in the /var/log/auth.log
(ipa user name is a working user on the IPA serve)

Dec 2 08:58:12 ubuntuap lightdm: PAM adding faulty module: pam_sss.so
Dec 2 08:58:17 ubuntuap lightdm: pam_succeed_if(lightdm:auth): requirement "user ingroup nopasswdlogin" not met by user "ipa user name"
Dec 2 08:58:25 ubuntuap lightdm: pam_unix(lightdm:auth): authentication failure; logname= uid=0 euid=0 tty=:0 ruser= rhost= user=ipa user name
Dec 2 08:58:27 ubuntuap lightdm: PAM unable to dlopen(pam_sss.so): /lib/security/pam_sss.so: cannot open shared object file: No such file or directory

Also, all the /var/log/sssd logs are empty.
Reply to andrewprecht:

Comment title: * please do not put your response text here