FreeIPA Core Basics
What FreeIPA is
FreeIPA is an identity management platform for Linux environments. It combines several systems into one:
- LDAP directory for users, groups, hosts, and policies
- Kerberos for authentication
- DNS in some deployments
- A Certificate Authority
- NTP time sync
Why it matters
Without centralised identity management, every machine manages its own local users. That does not scale. FreeIPA centralises identity and access so you can manage users, groups, and access policies from one place instead of editing /etc/passwd on every server.
Common objects
- user
- A person's identity account. Has a UID, password, and group memberships.
- group
- A named collection of users. Used in HBAC rules, sudo rules, and access policies.
- host
- A managed machine identity enrolled in FreeIPA.
- hostgroup
- A collection of hosts. Used in HBAC rules to define target machines.
- service
- An identity for a service, not a human. Example:
HTTP/host.example.com. - HBAC rule
- Host-Based Access Control. Controls which users can log into which hosts via which services.
- sudo rule
- Controls which users can run sudo commands on which hosts.
Useful commands
ipa user-find
ipa user-show alice
ipa user-add alice --first Alice --last Example
ipa group-find
ipa group-show admins
ipa host-find
ipa host-show host01.example.com
ipa service-findipa commands accept --all to show all attributes and --raw for raw output. Run ipa help for a full list of commands.
Kerberos basics
FreeIPA uses Kerberos for authentication. You need a valid Kerberos ticket to use ipa commands as an admin — and many services use Kerberos tickets instead of passwords.
kinit # get a ticket (prompts for password)
klist # list current tickets and expiry times
kdestroy # destroy all tickets (log out)Why these matter: if auth problems occur, ticket state is often part of the issue. Always check klist first.
Enroll a client
Run on the machine you want to join to FreeIPA:
# Minimal — prompts for IPA server and admin password
ipa-client-install
# Specify server and domain explicitly (good for automation)
ipa-client-install \
--server=ipa01.example.com \
--domain=example.com \
--realm=EXAMPLE.COM \
--principal=admin \
--password=AdminPassword
# OTP (one-time password) enrollment — admin pre-generates an OTP in IPA
# then the host uses it instead of admin credentials
ipa-client-install --password=OTP123456
# If the host was previously enrolled and you need to re-enroll
ipa-client-install --force-join --unattendedThis configures SSSD, Kerberos, and NTP on the client and creates a host object in FreeIPA. The machine then uses FreeIPA for user authentication.
For Ansible automation: use the ansible.builtin.command module with creates: /etc/ipa/default.conf so the task is idempotent — if the file already exists the host is already enrolled and the task is skipped.
DNS in FreeIPA
ipa dnszone-find
ipa dnsrecord-find example.comTroubleshooting
- Can the host resolve the IPA server by hostname? (
dig ipa-server.example.com) - Is time in sync? (
chronyc tracking,timedatectl) - Does
kinitsucceed? - Is the IPA server cert valid? (
openssl x509 -in /etc/ipa/ca.crt -noout -dates) - Is the client enrolled? (
ipa host-show hostname) - Can you query an object with
ipaCLI? - Is SSSD running? (
systemctl status sssd)
Common logs and files
journalctl -u sssd -n 50
cat /var/log/sssd/sssd.log- SSSD logs:
/var/log/sssd/ - IPA client config:
/etc/ipa/ - SSSD config:
/etc/sssd/sssd.conf - Kerberos config:
/etc/krb5.conf
Host enrollment and keytab check
# Check if a host is enrolled and its current state
ipa host-show web01.example.com
# Useful fields in the output:
# Keytab: True/False — whether the host has a valid keytab
# SSH public key: ... — if the host publishes SSH keys via IPA
# Enrolled: True/False
# List all hosts
ipa host-find
# Check the host keytab locally
klist -kt /etc/krb5.keytab # should show HOST/fqdn@REALM entries
# If the keytab is missing or invalid, re-retrieve it
ipa-getkeytab -s ipa01.example.com -p host/$(hostname -f) -k /etc/krb5.keytabA missing or expired host keytab is a common reason SSSD stops working after a server rebuild or re-image. The fix is always to re-run ipa-getkeytab and restart sssd.
certmonger — automatic certificate management
certmonger tracks service certificates and automatically renews them before expiry. It integrates with FreeIPA's CA and is the right way to manage host/service certificates on enrolled clients.
# List all tracked certificates
getcert list
# Request a new certificate from IPA CA (stored in NSS db)
getcert request \
-c IPA \
-f /etc/pki/tls/certs/httpd.crt \
-k /etc/pki/tls/private/httpd.key \
-N CN=web01.example.com,O=EXAMPLE.COM \
-D web01.example.com \
-K HTTP/web01.example.com
# Check status of a tracked cert
getcert list -f /etc/pki/tls/certs/httpd.crt
# Stop tracking a cert (does NOT revoke it)
getcert stop-tracking -f /etc/pki/tls/certs/httpd.crt
# Force immediate renewal
getcert resubmit -f /etc/pki/tls/certs/httpd.crtOnce a certificate is tracked by certmonger, you do not need to manually renew it — certmonger handles renewal, IPA CA signing, and file updates automatically. The service (httpd, etc.) still needs a reload after renewal; use the -C flag on getcert request to specify a post-renewal command (-C "systemctl reload httpd").
Backups — ipa-backup / ipa-restore
FreeIPA has its own backup tool that snapshots everything needed to rebuild a server: the LDAP directory, Kerberos DB, CA (Dogtag) data, DNS config, and all certificates and keys. You cannot safely back this up with plain tar — the internal DBs must be quiesced first.
# Full backup — includes directory, Kerberos, CA, DNS, and all configs
ipa-backup
# Data-only backup (no online services stopped, faster, but not a full-server image)
ipa-backup --data --online
# Restore (server should be reinstalled or match the backup's hostname/realm)
ipa-restore /var/lib/ipa/backup/ipa-full-2026-04-23-02-00-00Backups land in /var/lib/ipa/backup/ as a timestamped directory — copy them off-host immediately, they contain the KDC master key and CA private keys. Running ipa-backup without --online briefly stops the IPA services on that server; schedule it on a replica, not your primary.
ipa-backup daily (or at least weekly), copy it off-host, and do a quarterly restore drill onto a throwaway VM. An untested backup is a wish, not a backup — and FreeIPA restores surface hostname/realm/cert-chain mismatches you want to discover before a real outage.
Replica topology
FreeIPA scales by replicating the directory, Kerberos DB, and (optionally) the CA between multiple servers. Each replica is fully read-write; clients can use any of them.
- Star topology — every replica talks only to one central hub. Simple mental model, but the hub is a single point of failure for replication flow.
- Mesh / ring topology — each replica has 2+ agreements to other replicas. The recommended production pattern: no single replica going offline stops convergence.
- CA replica — not every replica runs the Dogtag CA. You want at least two CA replicas so certmonger renewals keep working if one is offline.
Practical rule: deploy three replicas minimum (quorum for decision-making, tolerates losing one), two of them with the CA role, with replication agreements forming a ring rather than a hub. For the deep-dive on agreements, ipa-replica-manage, and fixing broken topologies, see FreeIPA Replication.
AD trust (stub)
FreeIPA can form a cross-realm Kerberos trust with Active Directory so that AD users can log into Linux hosts (and be referenced in HBAC/sudo rules) without syncing accounts. The setup hinges on ipa-adtrust-install, Samba, and a handful of DNS/SPN details that deserve their own page — this is a stub pointer for a future FreeIPA AD Trust page. The one command to remember for now: ipa-adtrust-install, run on an IPA server that already has the CA role.