RHEL7: Configure a FreeIPA client.

Share this link

To be able to configure a FreeIPA client, you need to set up a FreeIPA server first.

In this tutorial, we assume that the FreeIPA server is called ipaserver.example.com and the FreeIPA client named ipaclient.example.com. If no DNS server working (not advisable), update the /etc/hosts file of the two machines accordingly.

Install the FreeIPA client packages:

# yum install -y ipa-client ipa-admintools

Execute the client installation script:

# ipa-client-install --force-ntpd
DNS discovery failed to determine your DNS domain
Provide the domain name of your IPA server (ex: example.com): example.com                              
Provide your IPA server name (ex: ipa.example.com): ipaserver.example.com
The failure to use DNS to find your IPA server indicates that your resolv.conf file is not properly configured.
Autodiscovery of servers for failover cannot work with this configuration.
If you proceed with the installation, services will be configured to always access the discovered server for all operations and will not fail over to other servers in case of failure.
Proceed with fixed values and no DNS discovery? [no]: yes
Hostname: ipaclient.example.com
DNS Domain: example.com
IPA Server: ipaserver.example.com
BaseDN: dc=example,dc=com

Continue to configure the system with these values? [no]: yes
User authorized to enroll computers: admin
Synchronizing time with KDC...
Password for admin@EXAMPLE.COM: adminipa
Successfully retrieved CA cert
    Subject:     CN=Certificate Authority,O=EXAMPLE.COM
    Issuer:      CN=Certificate Authority,O=EXAMPLE.COM
    Valid From:  Tue Sep 09 14:37:07 2014 UTC
    Valid Until: Sat Sep 09 14:37:07 2034 UTC

Enrolled in IPA realm EXAMPLE.COM
Created /etc/ipa/default.conf
New SSSD config will be created
Configured /etc/sssd/sssd.conf
Configured /etc/krb5.conf for IPA realm EXAMPLE.COM
trying https://ipaserver.example.com/ipa/xml
Forwarding 'ping' to server 'https://ipaserver.example.com/ipa/xml'
Forwarding 'env' to server 'https://ipaserver.example.com/ipa/xml'
Adding SSH public key from /etc/ssh/ssh_host_ecdsa_key.pub
Adding SSH public key from /etc/ssh/ssh_host_rsa_key.pub
Forwarding 'host_mod' to server 'https://ipaserver.example.com/ipa/xml'
Could not update DNS SSHFP records.
SSSD enabled
Configured /etc/openldap/ldap.conf
NTP enabled
Configured /etc/ssh/ssh_config
Configured /etc/ssh/sshd_config
Client configuration complete.

Note: You can safely ignore the messages in italic: to avoid these messages, additional configuration on the DNS server is required.

Check the configuration:

# getent passwd admin
# getent group admins

Source: RHEL 7 Linux Domain Identity Authentication and Policy Guide.

1 Star2 Stars3 Stars4 Stars5 Stars (No Ratings Yet)
5 comments on “RHEL7: Configure a FreeIPA client.
  1. Sam says:


    There is a bug with the FreeIPA. If the following is not set then Configuring certificate server (pki-tomcatd) fails, or causes issues.

    The host name must also be set in


  2. awhitaker says:

    Would installing openldap-clients and nss-pam-ldapd do the same thing?

Leave a Reply

RHCSA7: Task of the day

Allowed time: 5 minutes.
Create a new user account called "bob" with password "redhat" and set expiration in one week.

RHCE7: Task of the day

Allowed time: 15 minutes.
Configure a Samba server called MYSERVER, belonging to the MYGROUP group, sharing the /shared directory with the name "shared".

Follow me on Twitter

Poll for favorite RHEL 7 book

What is your favorite RHEL 7 book to prepare RHCSA & RHCE exams?

View Results

Loading ... Loading ...

Poll for most difficult RHCSA 7 topic

What do you think is the most difficult RHCSA 7 topic?

View Results

Loading ... Loading ...

Poll for most difficult RHCE 7 topic

What do you think is the most difficult RHCE 7 topic?

View Results

Loading ... Loading ...