From Fedora Project Wiki

Revision as of 22:14, 17 July 2018 by Adamwill (talk | contribs) (update firewall instructions)

{{QA/Test_Case |description=Test that the IPA server can be installed |setup=

  1. For testing purposes, a machine (or VM) with 1GB of RAM and 4 GB of free disk space for binaries, data and logs should be plenty to set up and run an IPA master.
  2. Make sure /etc/hosts is sane and your hostname does not appear in either the IPv4 or IPv6 localhost lines.
  3. In the following text, we assume that the IPA server name is and the realm is IPA.EXAMPLE.ORG
  4. If you have an existing AD server in your network, choose a different name for the IPA server realm name. Clients that use DNS autodiscovery to find the KDC to use may get confused and try to authenticate to the AD KDC. It is recommended that FreeIPA and AD serves different domains, for example and



First, install the FreeIPA server package:

# yum install freeipa-server

With DNS

We highly recommend installing FreeIPA with integrated DNS service as it will make client autodiscovery or AD Trust configuration much easier. You will just need to make sure that the domain managed by FreeIPA is properly delegated to the FreeIPA server or that your VMs are configured to use FreeIPA server directly (by configuring your DHCP server or manually updating /etc/resolv.conf).

# yum install bind bind-dyndb-ldap
# ipa-server-install --setup-dns

Or with all options on the command-line:

# ipa-server-install -a Secret123 -p Secret123 --realm=IPA.EXAMPLE.ORG --hostname --setup-dns --forwarder=<forwarder IP> -U

Substitute you existing DNS server's IP for <forwarder IP>, or pass --no-forwarders.

Without DNS

For a fully-interactive install run:

# ipa-server-install

You can optionally provide all options on the command-line:

# ipa-server-install -a Secret123 -p Secret123 --realm=IPA.EXAMPLE.ORG --hostname -U

Verify the basics

Ideally each of these installation steps will finish with no errors and will yield a running set of IPA services.

To briefly test the installation:

# kinit admin  # (the password is the admin password, or the password from -a)

Show our own user entry:

# ipa user-show admin

And make sure nss can see us too:

# id admin
# getent passwd admin

Verify the server_mode

Starting with version 3.3, the SSSD running on the server operates in a special mode, denoted with ipa_server_mode directive set in the config file. Verify it has been set:

# grep server_mode /etc/sssd/sssd.conf 
ipa_server_mode = True

Verify DNS

Verify these only if you installed with a DNS server.

# dig

Look for a line like this in the output:      86400   IN      A
# host has address
# ipa dns-resolve
Found ''
# ipa host-show
  Host name:
  Principal name: host/
  Keytab: True
  Managed by:

Configure the Firewall

To open all ports typically required for FreeIPA using firewalld, run these commands:

# for i in freeipa-ldap freeipa-ldaps dns; do firewall-cmd --permanent --add-service $i; done
# systemctl restart firewalld.service

Client testing

Add a client

If you have more than two machines, install a client or a replica. If you have installed DNS, edit /etc/resolv.conf and add the FreeIPA server as a nameserver.

# yum install freeipa-client
# ipa-client-install

Or with all options on the command-line.

# yum install freeipa-client
# ipa-client-install -p admin -w Secret123 -U

Verify that nss can see us:

# id admin
# getent passwd admin

With the Package-x-generic-16.pngfreeipa-admintools package, you can test installation using the ipa command:

# yum install freeipa-admintools
# kinit admin
# ipa user-show admin

Remove a client

When you are done with a client, you can uninstall it:

# ipa-client-install --uninstall

The uninstallation should complete with no errors. To verify that uninstallation was successful, install the client again.