Rocky Linux 9.6 FreeIPA 4.12.2 Status: Stable ✅
Env JSON

Objective

Deploy a clean, repeatable FreeIPA environment providing identity, DNS, Kerberos, and CA services for int.riodvr.com. Primary host: ipa2.int.riodvr.com (10.1.215.23).

Network Overview

Primary
Host: ipa2.int.riodvr.com
IP: 10.1.215.23
Role: FreeIPA Master (DNS, LDAP, KDC, CA)
Planned Replica
Host: ipa3.int.riodvr.com
IP: 10.1.104.x
Role: FreeIPA Replica (HA DNS/LDAP)

Key Lessons Learned

IssueRoot CauseResolution
Installer errors earlyMissing package freeipa-server-commonInstall required IPA packages before running installer
IPv6 overriding IPv4Default GAI + myhostname NSSPrefer IPv4 in /etc/gai.conf and set hosts: files dns
DNS confusionInconsistent /etc/hosts and resolvEnsure host resolves to correct IPv4 before install
Kerberos hiccupsClock skew / no NTPEnable chrony; verify chronyc tracking
OPNsense using old DNSDHCP Option 6 cacheUpdate to 10.1.215.23 first

Base VM Setup (ipa2)

Install & OS Basics

  • Rocky Linux 9.6 (minimal), DHCP reservation → 10.1.215.23
  • Hostname: ipa2.int.riodvr.com

Enable SSH password login

/etc/ssh/sshd_configsudo nano /etc/ssh/sshd_config
# Ensure:
PasswordAuthentication yes
PermitRootLogin yes
sudo systemctl restart sshd

Sanity checks

ip a
cat /etc/resolv.conf
hostnamectl
cat /etc/hosts
# Expect: 10.1.215.23 ipa2.int.riodvr.com ipa2

Pre-Install Fixes

Enable IPv6 on loopback

sudo sed -i '/disable_ipv6/d' /etc/sysctl.conf
echo 'net.ipv6.conf.all.disable_ipv6 = 0' | sudo tee -a /etc/sysctl.conf
echo 'net.ipv6.conf.default.disable_ipv6 = 0' | sudo tee -a /etc/sysctl.conf
echo 'net.ipv6.conf.lo.disable_ipv6 = 0' | sudo tee -a /etc/sysctl.conf
sudo sysctl -p
ip -6 addr show lo   # should show ::1/128

Prefer IPv4 + Fix NSS order

/etc/nsswitch.confsudo cp /etc/nsswitch.conf{,.bak}
sudo sed -i 's/^hosts:.*/hosts: files dns/' /etc/nsswitch.conf

/etc/gai.confsudo nano /etc/gai.conf
# Add (top of file is fine):
precedence ::ffff:0:0/96  100

resolvectl flush-caches 2>/dev/null || true
systemctl restart nscd 2>/dev/null || true
systemctl restart sssd 2>/dev/null || true
getent hosts ipa2.int.riodvr.com
# Expect: 10.1.215.23 ipa2.int.riodvr.com ipa2

FreeIPA Installation (ipa2)

dnf install -y freeipa-server freeipa-server-dns chrony

ipa-server-install --setup-dns --mkhomedir \
  --hostname=ipa2.int.riodvr.com \
  --domain=int.riodvr.com \
  --realm=INT.RIODVR.COM \
  --forwarder=10.1.215.1 \
  --forwarder=1.1.1.1 \
  --forwarder=8.8.8.8 \
  --auto-reverse \
  --no-dnssec-validation

Prompts: set Directory Manager password, IPA admin password, NetBIOS name INT, accept default chrony.

Post-Install Validation

ipactl status

dig +short ipa2.int.riodvr.com @127.0.0.1
dig -x 10.1.215.23 @127.0.0.1

ldapsearch -x -H ldap://localhost -b "" -s base namingContexts

kdestroy
kinit admin
klist
ipa ping

curl -kI https://ipa2.int.riodvr.com/ipa/ui

OPNsense Integration

  1. System → Settings → General → DNS Servers:
    • 10.1.215.23
    • 1.1.1.1
    • 8.8.8.8
  2. Ensure the firewall itself uses the DNS forwarder (do not disable it).

Backups

# Manual snapshot
ipactl stop
tar czf /root/ipa2-backup-$(date +%F).tar.gz /etc/ipa /var/lib/ipa /etc/dirsrv
ipactl start

/etc/cron.daily/ipa-backup#!/bin/bash
ipactl stop
tar czf /root/ipa2-backup-$(date +%F).tar.gz /etc/ipa /var/lib/ipa /etc/dirsrv
ipactl start
# chmod +x /etc/cron.daily/ipa-backup

Replica (ipa3) – Plan

  1. Provision VM ipa3.int.riodvr.com (10.1.104.x). DNS → 10.1.215.23.
  2. Repeat IPv4 preference and nsswitch.conf fix.
  3. Install packages: 
    dnf install -y freeipa-server freeipa-server-dns
  4. On ipa2: 
    ipa-replica-prepare ipa3.int.riodvr.com
  5. On ipa3: 
    ipa-replica-install --setup-dns --mkhomedir --no-forwarders
  6. Validate: 
    ipa-replica-manage list
ipa dnsserver-find

Future Enhancements

  • Add ipa3 (HA DNS/LDAP)
  • Join key servers with SSSD
  • IPA CA-issued internal TLS certs
  • Authoritative zones for all sites
  • Optional AD trust (if needed)

Verification Snapshot

  • All IPA services RUNNING on ipa2
  • Kerberos tickets issuing (admin)
  • DNS forward & reverse working
  • Web UI reachable
  • Backup archive captured
  • Ready to build ipa3

© 2025 – FreeIPA Deployment for INT.RIODVR.COM. Generated playbook.