Search This Blog

Tuesday, January 31, 2012

HowTo: Free IPA on Fedora

InstallAndDeploy - Free IPA

The above link is mostly correct, but a few changes for Fedora 16 and above.

systemctl disable NetworkManager.service
chkconfig network on
systemctl start network.service

# IPA isn't enabled by default (yet)
systemctl enable ipa.service
systemctl restart sshd.service
systemctl start ipa.service
# Set up your local browser with the IPA cert.
firefox http://localhost

# Define this machine as a client to the new server.

ipa-ldap-updater --test

Problem: system-config-authentication doesn't work with IPA yet.
Solution: ipa-client-install (Thank you sgallagh)
Watch for this bug 731094 to be resolved as well.
On the root server, ipa-client-install is done as part of ipa-server-install.

Problem: IPA and Dirsrv not started.
/var/log/messages: startup - The default password storage scheme SSHA could not be read or was not found in the file /etc/dirsrv/slapd-PKI-IPA/dse.ldif. It is mandatory.

On a hard shutdown, the dse.ldif files were empty.

[root@montechristo ~]# locate dse.ldif

Solution: Copy dse.ldif bak files, and restart services.

cp /etc/dirsrv/slapd-PKI-IPA/dse.ldif.bak /etc/dirsrv/slapd-PKI-IPA/dse.ldif
systemctl restart dirsrv@PKI-IPA.service
cp /etc/dirsrv/slapd-SOLENGTECH-BIZ-TM/dse.ldif.bak /etc/dirsrv/slapd-SOLENGTECH-BIZ-TM/dse.ldif
systemctl start dirsrv@SOLENGTECH-BIZ-TM.service
systemctl start ipa.service


  1. Authconfig (aka system-config-authentication) is not the correct way to set up a client of FreeIPA right now.

    We have an open bug ( to add direct support.

    What you're seeing here is actually the configuration necessary to set up a client to talk to FreeIPA v1. It does not support setting up some of the advanced features of FreeIPA v2, most notably client enrollment and host-based access control (HBAC rules).

    The preferred way to configure a client to connect to a FreeIPA v2+ server is to use the 'ipa-client-install' tool from the 'freeipa-client' package.

    This will perform all the necessary steps to configure and enroll the client, including acquiring a host keytab that can be used by openssh for GSSAPI/Kerberos single-sign-on.

    1. Perfect, thank you. My goal is to define a default set of commands to have a physical server share accounts and permissions with IPA. So each VM would be an ipa client. ipa-ldap-updater isn't doing what I expect yet, on to ipa-client-install.