FreeIPA Core Basics

Page 09 — What FreeIPA is, common objects, useful commands, and troubleshooting.

On this page

What FreeIPA is
Why it matters
Common objects
Useful commands
Kerberos basics
Enroll a client
DNS in FreeIPA
Troubleshooting
Common logs and files
Host enrollment and keytab check
certmonger — certificate management

What FreeIPA is

FreeIPA is an identity management platform for Linux environments. It combines several systems into one:

LDAP directory for users, groups, hosts, and policies
Kerberos for authentication
DNS in some deployments
A Certificate Authority
NTP time sync

Why it matters

Without centralised identity management, every machine manages its own local users. That does not scale. FreeIPA centralises identity and access so you can manage users, groups, and access policies from one place instead of editing /etc/passwd on every server.

Common objects

user: A person's identity account. Has a UID, password, and group memberships.
group: A named collection of users. Used in HBAC rules, sudo rules, and access policies.
host: A managed machine identity enrolled in FreeIPA.
hostgroup: A collection of hosts. Used in HBAC rules to define target machines.
service: An identity for a service, not a human. Example: HTTP/host.example.com.
HBAC rule: Host-Based Access Control. Controls which users can log into which hosts via which services.
sudo rule: Controls which users can run sudo commands on which hosts.

Useful commands

ipa user-find
ipa user-show alice
ipa user-add alice --first Alice --last Example
ipa group-find
ipa group-show admins
ipa host-find
ipa host-show host01.example.com
ipa service-find

Tip: Most ipa commands accept --all to show all attributes and --raw for raw output. Run ipa help for a full list of commands.

Kerberos basics

FreeIPA uses Kerberos for authentication. You need a valid Kerberos ticket to use ipa commands as an admin — and many services use Kerberos tickets instead of passwords.

kinit              # get a ticket (prompts for password)
klist              # list current tickets and expiry times
kdestroy           # destroy all tickets (log out)

Why these matter: if auth problems occur, ticket state is often part of the issue. Always check klist first.

Time matters: Kerberos authentication will fail if the client's clock is skewed more than 5 minutes from the server. Ensure Chrony is running and time is synced.

Enroll a client

Run on the machine you want to join to FreeIPA:

# Minimal — prompts for IPA server and admin password
ipa-client-install

# Specify server and domain explicitly (good for automation)
ipa-client-install \
  --server=ipa01.example.com \
  --domain=example.com \
  --realm=EXAMPLE.COM \
  --principal=admin \
  --password=AdminPassword

# OTP (one-time password) enrollment — admin pre-generates an OTP in IPA
# then the host uses it instead of admin credentials
ipa-client-install --password=OTP123456

# If the host was previously enrolled and you need to re-enroll
ipa-client-install --force-join --unattended

This configures SSSD, Kerberos, and NTP on the client and creates a host object in FreeIPA. The machine then uses FreeIPA for user authentication.

For Ansible automation: use the ansible.builtin.command module with creates: /etc/ipa/default.conf so the task is idempotent — if the file already exists the host is already enrolled and the task is skipped.

DNS in FreeIPA

ipa dnszone-find
ipa dnsrecord-find example.com

Troubleshooting

Can the host resolve the IPA server by hostname? (dig ipa-server.example.com)
Is time in sync? (chronyc tracking, timedatectl)
Does kinit succeed?
Is the IPA server cert valid? (openssl x509 -in /etc/ipa/ca.crt -noout -dates)
Is the client enrolled? (ipa host-show hostname)
Can you query an object with ipa CLI?
Is SSSD running? (systemctl status sssd)

Common logs and files

journalctl -u sssd -n 50
cat /var/log/sssd/sssd.log

SSSD logs: /var/log/sssd/
IPA client config: /etc/ipa/
SSSD config: /etc/sssd/sssd.conf
Kerberos config: /etc/krb5.conf

Host enrollment and keytab check

# Check if a host is enrolled and its current state
ipa host-show web01.example.com

# Useful fields in the output:
#   Keytab: True/False  — whether the host has a valid keytab
#   SSH public key: ...  — if the host publishes SSH keys via IPA
#   Enrolled: True/False

# List all hosts
ipa host-find

# Check the host keytab locally
klist -kt /etc/krb5.keytab   # should show HOST/fqdn@REALM entries

# If the keytab is missing or invalid, re-retrieve it
ipa-getkeytab -s ipa01.example.com -p host/$(hostname -f) -k /etc/krb5.keytab

A missing or expired host keytab is a common reason SSSD stops working after a server rebuild or re-image. The fix is always to re-run ipa-getkeytab and restart sssd.

certmonger — automatic certificate management

certmonger tracks service certificates and automatically renews them before expiry. It integrates with FreeIPA's CA and is the right way to manage host/service certificates on enrolled clients.

# List all tracked certificates
getcert list

# Request a new certificate from IPA CA (stored in NSS db)
getcert request \
  -c IPA \
  -f /etc/pki/tls/certs/httpd.crt \
  -k /etc/pki/tls/private/httpd.key \
  -N CN=web01.example.com,O=EXAMPLE.COM \
  -D web01.example.com \
  -K HTTP/web01.example.com

# Check status of a tracked cert
getcert list -f /etc/pki/tls/certs/httpd.crt

# Stop tracking a cert (does NOT revoke it)
getcert stop-tracking -f /etc/pki/tls/certs/httpd.crt

# Force immediate renewal
getcert resubmit -f /etc/pki/tls/certs/httpd.crt

Once a certificate is tracked by certmonger, you do not need to manually renew it — certmonger handles renewal, IPA CA signing, and file updates automatically. The service (httpd, etc.) still needs a reload after renewal; use the -C flag on getcert request to specify a post-renewal command (-C "systemctl reload httpd").

Next: 10 · Chrony Basics →