FreeIPA is an Identity Policy and Authentication solution. We are currently using this for our internal management networks.

Basically follow this. Also DNS is suuuuuuupppppeeeerrrrr important.

As a note, you should install libsss_sudo. Otherwise you might get this error:

sudo: unable to load /usr/lib64/ /usr/lib64/ cannot open shared object file: No such file or directory
sudo: unable to initialize SSS source. Is SSSD installed on your machine?

When running sudo on the server.

On RHEL based ones (and Ubuntu 16.04), install freeipa-client. Super easy. Then run:

ipa-client-install --mkhomedir --enable-dns-updates --ssh-trust-dns

However, if you're on debian-master-race, you don't need hand holding and an “automated client”. Let's dig into some config files.

  1. Install sssd
  2. Copy the configuration file to /etc/sssd/sssd.conf
    1. Don't forget to s/
  3. chown root:root /etc/sssd/sssd.conf and chmod 0600 /etc/sssd/sssd.conf
  4. Grab your krb5.keytab, and dump it to /etc/krb5.keytab
    1. ipa-getkeytab -p host/ -k /tmp/keytab
  5. Grab the CA cert (/etc/ipa/ca.crt on the FreeIPA server) and save it to /etc/sssd/ipa.crt
  6. Append the following line to /etc/pam.d/common-session
    1. session required skel=/etc/skel/
  7. Append the following lines to /etc/ssh/sshd_config to allow public key logins
    1. AuthorizedKeysCommand /usr/bin/sss_ssh_authorizedkeys
    2. AuthorizedKeysCommandUser nobody
  8. Append the following line to /etc/systemd/timesyncd.conf
  9. Enable NTP: timedatectl set-ntp yes
  10. GG, you're done.
cache_credentials = True
krb5_store_password_if_offline = True
id_provider = ipa
auth_provider = ipa
access_provider = ipa
chpass_provider = ipa
sudo_provider = ldap
# Configure IPA
ipa_domain =
ipa_hostname =
# Configure sudo
ldap_uri = ldaps://
ldap_tls_cacert = /etc/sssd/ipa.crt
ldap_sudo_search_base = ou=sudoers,dc=ubnetdef,dc=net
ldap_sasl_mech = GSSAPI
ldap_sasl_authid = host/
ldap_sasl_realm = UBNETDEF.NET
krb5_server =
krb5_realm = UBNETDEF.NET
services = nss, pam, ssh, sudo
config_file_version = 2
domains =

Include the specific settings (search stuff, bind user, etc). Link to each service's page on how to finalize the configuration.

  • Bind User: uid=bind,cn=users,cn=accounts,dc=ubnetdef,dc=net
  • Search Base DN: cn=users,cn=accounts,dc=ubnetdef,dc=net
  • User Search Pattern: (&(objectClass=inetorgperson)(uid=#USERNAME#))
  • Group Search Base DN: cn=groups,cn=accounts,dc=ubnetdef,dc=net
  • Group Search Pattern: (&(objectClass=groupofnames)(cn=#GROUPNAME#))
  • guides/freeipa.txt
  • Last modified: 2017/11/29 21:11
  • by jamesdro